WebApp Sec mailing list archives
Re: htaccess with apache
From: Tim Greer <chatmaster () charter net>
Date: 04 Nov 2003 08:44:00 -0800
On Tue, 2003-11-04 at 02:43, Hans Mueller wrote:
Hi list I've got a little question. I've got a mail from someone that my Webserver (Apache 1.3.20)is not secure. In the Mail he attached the files .htaccess und passwd which are really from my Web-Server. I've got some simple cgi-Scripts on my server and he said he used one of them (XXXXXX.ziel.cgi?template=maske1.html.....) to get the files.
This problem is with ownership/permissions and the CGI script being poorly designed. Although 1.3.20 is old and buggy and insecure in other ways, this would be an issue on any version of any web server. The damage done to view files/content would be restricted to what that CGI process run through the Apache web server would have permission to open or not, which could depend on CGI wrappers or not as well. Dump that horrible CGI script (or fix it), and upgrade the web server and change the configuration and build to be more secure as well. Hire the services of a qualified administrator and programmer to look over both your web server set up and CGI scripts (and PHP scripts, etc. as well). Be wary, there's some people that claim to be experts that have absolutely no idea what to really look for, but that risk is probably worth it, since you can't leave this set up and scripts in its current state. Good luck. -- Tim Greer <chatmaster () charter net>
Current thread:
- Re: htaccess with apache, (continued)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache António Vasconcelos (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 05)
- Re: htaccess with apache António Vasconcelos (Nov 06)
- Re: htaccess with apache Tim Greer (Nov 06)
- Re: htaccess with apache António Vasconcelos (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)
- RE: htaccess with apache Tim Greer (Nov 05)
- RE: htaccess with apache Dinis Cruz (Nov 11)
- RE: htaccess with apache Tim Greer (Nov 11)