Vulnerability Development mailing list archives

RE: apache + .htpasswd - bypass pwd check

From: "Golden_Eternity" <bhodi_jabir () yahoo com>
Date: Thu, 25 Apr 2002 09:17:12 -0700

You need to turn off FollowSymLinks in the */public_html/ directories.

-----Original Message-----
From: Hallberg Tom [mailto:tom.hallberg () rfv sfa se]
Sent: Thursday, April 25, 2002 12:45 AM
To: bugtraq () securityfocus com
Cc: vuln-dev () security-focus com
Subject: apache + .htpasswd - bypass pwd check

Hi

yesterday I managed to bypass the pwd check when using .htpasswd. 
The problem
now is that Im not sure how to secure it.

Okej let say that user ivan have protected his 
/home/ivan/public_html/topsecret
directory. And on the samer server we have the user johan, from 
his public_html
directory we make an symlink ln -s /home/ivan/public_html/topsecret test
okej so then johan tries http://www.hostname.whatever/~johan/test
he will end up in ivan' s  topsecret directory..

So what have I missed in my httpd.conf or something else? :)

thanx
/Tom

Current thread:

apache + .htpasswd - bypass pwd check Hallberg Tom (Apr 25)
- RE: apache + .htpasswd - bypass pwd check Golden_Eternity (Apr 26)
  - RE: apache + .htpasswd - bypass pwd check RSnake (Apr 26)
    - Re: apache + .htpasswd - bypass pwd chec Jonas (Apr 28)
- Re: apache + .htpasswd - bypass pwd check Jose Nazario (Apr 26)
  - Re: apache + .htpasswd - bypass pwd check Jedi/Sector One (Apr 26)
    - Re: apache + .htpasswd - bypass pwd check RSnake (Apr 26)
    - Re: apache + .htpasswd - bypass pwd check Jedi/Sector One (Apr 26)
    - Re: apache + .htpasswd - bypass pwd check Sten (Apr 28)