httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] securing a file -one by one the penguins take my sanity away
Date Wed, 28 Aug 2002 09:30:23 GMT
See comments,

Rgds,
Owen Boyle

>-----Original Message-----
>From: Koen Vingerhoets [mailto:koen.vingerhoets@ubench.com]
>
>I want to secure this file:
>http://212.123.31.37/ubclaims/jsp/admin/reset.jsp
>
>It's located in this directory:
>d:\WebAppWas\ubclaims\web\jsp\admin\reset.jsp

Unless you have some funny rewrite rule this won't work. Your filesystem doesn't map onto
your URL-space correctly. How it works is that:

http://server-name/dir1/dir2/file1 --> "DocumentRoot"/dir1/dir2/file1

So your URL will map to "DocumentRoot"/ubclaims/jsp/admin/reset.jsp. However, you can see
that this is not a valid path on your filesystem since you have and extra directory in the
way ("web"). If we assume your DocumentRoot = "d:\WebAppWas" then the URL should be http://212.123.31.37/ubclaims/web/jsp/admin/reset.jsp.
Maybe you made a typo...


>Even if I deny access to d:\WebAppWas (where ALL our files 
>are), I still can
>walk in in the application...
>
>Since this could take like forever over mail (or at least 
>until Doomsday), I
>just attached the httpd.conf file.

I don't normally do this (pore over peoples' config files...) but I liked your joke about
smacking the Belgian hacker yesterday :-) So I'd make the following comments:

- As Joshua says, fix the backslash/forward slash mix. Use only unix-like forward-slashes
(i.e. "/") in pathnames. It actually says this in the comments in httpd.conf...

- 	<Directory "d:/WebAppWas/Ubclaims/web/jsp/admin">
		Deny from all
	</Directory>

has to go inside the VH that it applies to - currently you have it in the main config where
it is ignored because this directory isn't under the main config DocumentRoot. However, all
it will do is deny access to this direcrtory - which is not what you ultimately want.

- MAIN PROBLEM

You have "AllowOverride None" in the main config which disables reading of .htaccess files.
This is OK but you have to switch it back on again with "AllowOverride AuthConfig" in the
directory container above.




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message