httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <>
Subject Re: Possible security problem?
Date Sun, 17 Nov 1996 22:51:20 GMT
On Thu, 14 Nov 1996, Ben Laurie forwarded a message from Steven Bellovin

> > Blatant assertion:  servers should refuse to deal with directories without
> > explicit index.html files.  If it's not there, the directory won't be
> > served.  I'd like a further check to guard against folks asking for
> > directory/.htpasswd and the like -- none of their business.  It's easy
> > to assert that the server shouldn't pass back . files, and maybe some
> > are like that already.  But the bottom line is that files should be
> > retrievable if and only if someone has taken positive action to make them
> > so.

So, there are two things we /could/ do:  

  1) turn off the Options Indexes in the default access.conf-dist
     I /know/ we'll get messages from confused beginners about this.

  2) add something like the following to access.conf-dist:

      <Files .*>
      deny from all

     Will that work to prevent access to all . files?



View raw message