Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Importance: normal
Priority: normal
Content-Transfer-Encoding: quoted-printable
Date: Wed, 5 Oct 2005 14:47:31 +0200
Message-ID: 
 <FDD5D99066749040AF9098A720E9897701451994@CIWMEXZSA0E.ex.ordersx.org>
Thread-Topic: [users@httpd] security 
thread-index: AcXJh3W5hX+MdAEIS4G3gGQCUTppCQAIrZrQ
From: "Boyle Owen" <Owen.Boyle@swx.com>
To: <users@httpd.apache.org>
Subject: RE: [users@httpd] security 

Plain text please...

This has nothing to do with the "software" not being secure. It is =
simply that you have not configured access to the resource correctly.

It is impossible to be certain about what you have done wrong but (based =
on the pretend URL you quoted) I would guess you have your main page in =
a protected realm but are referring to images which are outside the =
realm.

For example:
http://your-site/dir/page.html - this is under password access, but the =
page contains an image ref like: <img src=3D"/image.png">. Then the =
request for the image is like http://your-site/image.png. Since this is =
not under /dir, it is not protected.

If you'd like to provide a link to the page in question, I'd be happy to =
check it.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.=20

-----Original Message-----
From: baynaa@mobinet.mn [mailto:baynaa@mobinet.mn]
Sent: Mittwoch, 5. Oktober 2005 10:33
To: users@httpd.apache.org
Subject: [users@httpd] security=20


Hi,
In our web, users should login to access certain contents. But today =
we've just realized that, one can acces those contents without loging =
in. In other words, just typing =
http://xxx.xx/graph_view.php?action=3Dtree&tree_id=3D22 brings the =
graphs. We are using free software, may be that's why it is not so =
secure. Has anyone suggest me how to prevent these kind of things. How =
can I configure apache, so that it won't bring the page if it has =
REMOTE_USER env variable not set?  Or if it has nothing to do with =
Apache?
BR, Baynaa.
=20
Diese E-mail ist eine private und pers=F6nliche Kommunikation. Sie hat =
keinen Bezug zur B=F6rsen- bzw. Gesch=E4ftst=E4tigkeit der SWX Gruppe. =
This e-mail is of a private and personal nature. It is not related to =
the exchange or business activities of the SWX Group. Le pr=E9sent =
e-mail est un message priv=E9 et personnel, sans rapport avec =
l'activit=E9 boursi=E8re du Groupe SWX.
=20
=20
This message is for the named person's use only. It may contain =
confidential, proprietary or legally privileged information. No =
confidentiality or privilege is waived or lost by any mistransmission. =
If you receive this message in error, please notify the sender urgently =
and then immediately delete the message and any copies of it from your =
system. Please also immediately destroy any hardcopies of the message. =
You must not, directly or indirectly, use, disclose, distribute, print, =
or copy any part of this message if you are not the intended recipient. =
The sender's company reserves the right to monitor all e-mail =
communications through their networks. Any views expressed in this =
message are those of the individual sender, except where the message =
states otherwise and the sender is authorised to state them to be the =
views of the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org