httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nelson, Robert D." <RDNel...@Mail.Donaldson.com>
Subject RE: [users@httpd] htpasswd security question
Date Fri, 30 Aug 2002 18:46:43 GMT
Gunter:

The permissions on the server will certainly be important.  However, as far
as being able to get an .htaccess or .htpasswd file by requesting it through
the Apache, there is a denial...

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

This is probably already in your httpd.conf file and will keep those files
from being directly served.

 ~ Robert


> -----Original Message-----
> From: Gunter Sammet [mailto:Gunter@SammySolutions.com]
> Sent: Friday, August 30, 2002 12:26 PM
> To: Apache Users
> Subject: [users@httpd] htpasswd security question
> 
> 
> Hello all:
> I wrote a script in php which pulls users and passwords from 
> a DB and writes
> to the htpasswd file. In order to get this going, I had to make the
> /.htpasswd/<subfolder>/ world writeable (did 777).
> My concern would be security. Are there any security threads 
> if this folder
> is world readable. AFAIK, this folder shouldn't be accessible 
> through the
> web server since it isn't in the public_html directory. But I 
> am a newbie in
> security, so I am not sure if this could be hacked.
> If it is, how could I get the PHP script to create the file 
> with 700 or any
> other secure settings?
> TIA
> 
> Gunter
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message