httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Danie Qian" <dan...@bestningning.com>
Subject Re: [users@httpd] .htaccess for script aliased directories
Date Fri, 25 Apr 2008 20:16:17 GMT

----- Original Message ----- 
From: "Dragon" <dragon@crimson-dragon.com>
To: <users@httpd.apache.org>
Sent: Friday, April 25, 2008 3:56 PM
Subject: Re: [users@httpd] .htaccess for script aliased directories


> Danie Qian wrote:
>
>>----- Original Message ----- From: "Joshua Slive" <joshua@slive.ca>
>>To: <users@httpd.apache.org>; "Danie Qian" <daniel@bestningning.com>
>>Sent: Friday, April 25, 2008 3:39 PM
>>Subject: Re: [users@httpd] .htaccess for script aliased directories
>>
>>
>>>On Fri, Apr 25, 2008 at 3:32 PM, Danie Qian <daniel@bestningning.com> 
>>>wrote:
>>>
>>>>         <Limit GET POST>
>>>>                 require valid-user
>>>>         </Limit>
>>>
>>>Remove the <Limit GET POST> and </Limit> lines. They are dangerous.
See:
>>>http://httpd.apache.org/docs/2.2/mod/core.html#limit
>>>
>>>Joshua.
>>
>> From the above link I cant find anything dangerous except for the fact 
>> that it limits requests to GET,POST methods, about which my users never 
>> complained. Or, did I miss out anything here?
> ---------------- End original message. ---------------------
>
>
> No, it does not do what you think.
>
> As you have it in your config, it requires a valid user for only the GET 
> and POST methods. It ALLOWS all other methods without a valid user.
>
>
> This opens you up to potential attacks. You want to remove the Limit 
> directives so ALL methods will require a valid user.
>
>
> Dragon
>

I copied the lines from another server and never thought about it in this 
way :)
Thanks everyone for pointing it out for me to eliminate a potential security 
problem. 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message