httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject Possible Security Hole??? (fwd)
Date Tue, 01 Apr 1997 17:43:23 GMT

Should we add something like this:

<Files ~ ".htaccess$">
	order deny,allow
	deny from all
</Files>


to access.conf ?

There are other tricks to protect .htacess, but this looks the
cleanest, although I couldn't get it to work on my heavily customised
Apache here.


---------- Forwarded message ----------
Date: Tue, 1 Apr 1997 10:58:23 -0500
From: "P.J." <gambler@mailmasher.com>
To: "'apache-bugs@apache.org'" <apache-bugs@apache.org>
Subject: Possible Security Hole???


While browsing around on my system just now, I found that you can view a .htaccess file just
by typing it into the address line.  Most people dont keep any passwords in there, but they
might have a require-user line that they don't want others to see.

My System:

RedHat Linux 4.1 kernel 2.0.29
Apache 1.2b7
Browsers used: Lynx 2.6, Netscape 4.0, MSIE 3.2

If this is something that I could easily have fixed myself, then I am sorry for bothering
you.


Mime
View raw message