Re: htaccess with apache

[Peter Conrad <conrad () tivano de>]

Hi,

On Tue, Nov 04, 2003 at 10:43:41AM -0000, Hans Mueller wrote:
> I've got a mail from someone that my Webserver (Apache 1.3.20)is not
> secure. In the Mail he attached the files .htaccess und passwd
> which are really from my Web-Server.
>
> I've got some simple cgi-Scripts on my server and he said
> he used one of them (XXXXXX.ziel.cgi?template=maske1.html.....)
> to get the files. I thought a Directory secured with mod_access
> cannot be read/accessed without the proper password.
> Unfortunately the guy is not answering to my eMails
> and I want to secure my Webserver. Even if he just read
> the Files (Tripwire didn't show any changes), and didn't
> wrote something to the server.
>
> How is it possible to read the files secured with mod_access
> with a cgi script?

probably due to a security bug in said cgi script. A wild guess would be
that he called XXXXXX.ziel.cgi?template=.htaccess or 
XXXXXX.ziel.cgi?template=/etc/passwd . Check your apache logfile, it'll
probably contain the bad requests.

Btw, if you need professional support just give us a call. ;-)

Bye,
        Peter
-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18                      http://www.tivano.de/
63263 Neu-Isenburg

Germany