WebApp Sec mailing list archives
Re: htaccess with apache
From: Peter Conrad <conrad () tivano de>
Date: Tue, 4 Nov 2003 14:28:45 +0100
Hi, On Tue, Nov 04, 2003 at 10:43:41AM -0000, Hans Mueller wrote:
I've got a mail from someone that my Webserver (Apache 1.3.20)is not secure. In the Mail he attached the files .htaccess und passwd which are really from my Web-Server. I've got some simple cgi-Scripts on my server and he said he used one of them (XXXXXX.ziel.cgi?template=maske1.html.....) to get the files. I thought a Directory secured with mod_access cannot be read/accessed without the proper password. Unfortunately the guy is not answering to my eMails and I want to secure my Webserver. Even if he just read the Files (Tripwire didn't show any changes), and didn't wrote something to the server. How is it possible to read the files secured with mod_access with a cgi script?
probably due to a security bug in said cgi script. A wild guess would be that he called XXXXXX.ziel.cgi?template=.htaccess or XXXXXX.ziel.cgi?template=/etc/passwd . Check your apache logfile, it'll probably contain the bad requests. Btw, if you need professional support just give us a call. ;-) Bye, Peter -- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 http://www.tivano.de/ 63263 Neu-Isenburg Germany
Current thread:
- Re: htaccess with apache, (continued)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache António Vasconcelos (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 05)
- Re: htaccess with apache António Vasconcelos (Nov 06)
- Re: htaccess with apache Tim Greer (Nov 06)
- Re: htaccess with apache António Vasconcelos (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)
- RE: htaccess with apache Tim Greer (Nov 05)
- RE: htaccess with apache Dinis Cruz (Nov 11)
- RE: htaccess with apache Tim Greer (Nov 11)