httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: .htaccess
Date Tue, 09 Nov 1999 15:37:42 GMT
Greg Maxwell wrote:

> > That sounds horribly insecure. I could just spoof my in-addr.arpa entry
> > for my IP address and I'm inside your intranet without a password with
> > hardly any effort at all.
> 
> No, I'd check on IP address.. That is:
> 
> allow from 192.168.16.0/24
> allow authusers
> deny all
> 
> or the like.

Ok I understand - the quote from ApacheWeek though said "if it comes
from within a particular domain name", so I assumed you meant DNS.

> If you can spoof traffic from my intranet, then I've got bigger problems.

I don't need to. I could just overwhelm an existing http proxy on your
network, or install my own proxy on a machine on your network using a
trojan trick and use that. There are many very creative things one can
do on a network...

Regards,
Graham
-- 
-----------------------------------------
minfrin@sharp.fm		"There's a moon
					over Bourbon Street
						tonight...

Mime
View raw message