Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 58648 invoked from network); 5 Oct 2005 08:37:54 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 5 Oct 2005 08:37:54 -0000 Received: (qmail 34855 invoked by uid 500); 5 Oct 2005 08:37:42 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 34842 invoked by uid 500); 5 Oct 2005 08:37:42 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 34831 invoked by uid 99); 5 Oct 2005 08:37:42 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Oct 2005 01:37:42 -0700 X-ASF-Spam-Status: No, hits=1.8 required=10.0 tests=DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,HTML_60_70,HTML_MESSAGE X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [149.123.26.105] (HELO blackberry.nypl.org) (149.123.26.105) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Oct 2005 01:37:45 -0700 From: "Peter J Milanese" Date: Wed, 5 Oct 2005 04:38:48 -0400 To: "users" MIME-Version: 1.0 Message-ID: X-MIMETrack: Serialize by Router on Blackberry/Nypl(Release 5.0.12 |February 13, 2003) at 10/05/2005 04:39:09 AM, Serialize complete at 10/05/2005 04:39:09 AM Content-Type: multipart/alternative; boundary="----=_NextPart_000_0010_01C5C9CA.85A22520" X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] security X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N ------=_NextPart_000_0010_01C5C9CA.85A22520 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" There are a number of ways to handle this. If your site is a mix of auth/anon= , you probably want to put it in the php. Just do an isset in the php. Docume= ntation on php.net should be helpful. ----------------- Sent from my NYPL BlackBerry Handheld. ----- Original Message ----- From: [baynaa@mobinet.mn] Sent: 10/05/2005 04:33 AM To: Subject: [users@httpd] security Hi, In our web, users should login to access certain contents. But today we've just realized that, one can acces those contents without loging in. In other words, just typing http://xxx.xx/graph_view.php?action=3Dtree &tree_id=3D22 bring= s the graphs. We are using free software, may be that's why it is not so secure. Has anyone suggest me how to prevent these kind of things. How can I configure apache, so that it won't bring the page if it has REMOTE_USER env variable not set? Or if it has nothing to do with Apache? BR, Baynaa. ------=_NextPart_000_0010_01C5C9CA.85A22520 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="us-ascii"

There are a number of ways to handle= this. If your site is a mix of auth/anon, you probably want to put it in the= php. Just do an isset in the php. Documentation on php.net should be helpful= .

-----------------
Sent from my NYPL BlackBerry Handheld.

----- Original Mes= sage -----
From: [baynaa@mobinet.mn]
Sent: 10/05/2005 04:33 AM
To: <users@httpd.apache.org>
<= b> Subject: [users@httpd] security

Hi,

In our web, users should login to access certain contents.= But today we’ve just realized that, one can acces those contents without loging in. In other words, just typing http://x= xx.xx/graph_view.php?action=3Dtree&tree_id=3D22 brings the graphs. We are using free software, may be that’s why it is not so secure. Has anyone suggest me how to prevent these kind of things. How can I configure apache, so that it won’t bring the page if it has REMOTE_USER env variable not set? Or if it has nothing to do with Apach= e?

BR, Baynaa.

------=_NextPart_000_0010_01C5C9CA.85A22520--