WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: htaccess with apache

From: Vladimir Danilyuk <lt () lordtime com>
Date: Tue, 4 Nov 2003 15:11:11 +0200
Hans,

Tuesday, November 4, 2003, 12:43:41 PM, you wrote:


HM> Hi list

HM> I've got a little question.

HM> I've got a mail from someone that my Webserver (Apache 1.3.20)is not
HM> secure. In the Mail he attached the files .htaccess und passwd
HM> which are really from my Web-Server.

HM> I've got some simple cgi-Scripts on my server and he said
HM> he used one of them (XXXXXX.ziel.cgi?template=maske1.html.....)
HM> to get the files. I thought a Directory secured with mod_access
HM> cannot be read/accessed without the proper password.
HM> Unfortunately the guy is not answering to my eMails
HM> and I want to secure my Webserver. Even if he just read
HM> the Files (Tripwire didn't show any changes), and didn't
HM> wrote something to the server.

HM> How is it possible to read the files secured with mod_access
HM> with a cgi script?

    Of course this is possible since script is reading your files
    using OS calls.

    Apache modules cannot control file access if actual access to them
    is made from script or any other application


HM> Thanks to all an sorry for my funny
HM> English

HM> Hans



-------------------------------------------------------------
 Vladimir Danilyuk                
 http://lordtime.com              ICQ:   44562019, 44726644
 http://internetvibes.net         mailto:lt () lordtime com
-------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: