httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: .htaccess
Date Tue, 09 Nov 1999 15:37:42 GMT
Greg Maxwell wrote:

> > That sounds horribly insecure. I could just spoof my entry
> > for my IP address and I'm inside your intranet without a password with
> > hardly any effort at all.
> No, I'd check on IP address.. That is:
> allow from
> allow authusers
> deny all
> or the like.

Ok I understand - the quote from ApacheWeek though said "if it comes
from within a particular domain name", so I assumed you meant DNS.

> If you can spoof traffic from my intranet, then I've got bigger problems.

I don't need to. I could just overwhelm an existing http proxy on your
network, or install my own proxy on a machine on your network using a
trojan trick and use that. There are many very creative things one can
do on a network...

-----------------------------------------		"There's a moon
					over Bourbon Street

View raw message