Re: htaccess with apache

[Tim Greer <chatmaster () charter net>]

On Tue, 2003-11-04 at 02:43, Hans Mueller wrote:
> Hi list
>
> I've got a little question.
>
> I've got a mail from someone that my Webserver (Apache 1.3.20)is not
> secure. In the Mail he attached the files .htaccess und passwd
> which are really from my Web-Server.
>
> I've got some simple cgi-Scripts on my server and he said
> he used one of them (XXXXXX.ziel.cgi?template=maske1.html.....)
> to get the files.

This problem is with ownership/permissions and the CGI script being
poorly designed.  Although 1.3.20 is old and buggy and insecure in other
ways, this would be an issue on any version of any web server.  The
damage done to view files/content would be restricted to what that CGI
process run through the Apache web server would have permission to open
or not, which could depend on CGI wrappers or not as well.

Dump that horrible CGI script (or fix it), and upgrade the web server
and change the configuration and build to be more secure as well.  Hire
the services of a qualified administrator and programmer to look over
both your web server set up and CGI scripts (and PHP scripts, etc. as
well).  Be wary, there's some people that claim to be experts that have
absolutely no idea what to really look for, but that risk is probably
worth it, since you can't leave this set up and scripts in its current
state.  Good luck.

-- 
Tim Greer <chatmaster () charter net>