httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Danie Qian" <dan...@bestningning.com>
Subject Re: [users@httpd] .htaccess for script aliased directories
Date Fri, 25 Apr 2008 20:32:01 GMT

----- Original Message ----- 
From: "Danie Qian" <daniel@bestningning.com>
To: <users@httpd.apache.org>
Sent: Friday, April 25, 2008 4:16 PM
Subject: Re: [users@httpd] .htaccess for script aliased directories


>
> ----- Original Message ----- 
> From: "Dragon" <dragon@crimson-dragon.com>
> To: <users@httpd.apache.org>
> Sent: Friday, April 25, 2008 3:56 PM
> Subject: Re: [users@httpd] .htaccess for script aliased directories
>
>
>> Danie Qian wrote:
>>
>>>----- Original Message ----- From: "Joshua Slive" <joshua@slive.ca>
>>>To: <users@httpd.apache.org>; "Danie Qian" <daniel@bestningning.com>
>>>Sent: Friday, April 25, 2008 3:39 PM
>>>Subject: Re: [users@httpd] .htaccess for script aliased directories
>>>
>>>
>>>>On Fri, Apr 25, 2008 at 3:32 PM, Danie Qian <daniel@bestningning.com>

>>>>wrote:
>>>>
>>>>>         <Limit GET POST>
>>>>>                 require valid-user
>>>>>         </Limit>
>>>>
>>>>Remove the <Limit GET POST> and </Limit> lines. They are dangerous.
See:
>>>>http://httpd.apache.org/docs/2.2/mod/core.html#limit
>>>>
>>>>Joshua.
>>>
>>> From the above link I cant find anything dangerous except for the fact 
>>> that it limits requests to GET,POST methods, about which my users never 
>>> complained. Or, did I miss out anything here?
>> ---------------- End original message. ---------------------
>>
>>
>> No, it does not do what you think.
>>
>> As you have it in your config, it requires a valid user for only the GET 
>> and POST methods. It ALLOWS all other methods without a valid user.
>>
>>
>> This opens you up to potential attacks. You want to remove the Limit 
>> directives so ALL methods will require a valid user.
>>
>>
>> Dragon
>>
>
> I copied the lines from another server and never thought about it in this 
> way :)
> Thanks everyone for pointing it out for me to eliminate a potential 
> security problem.
>

On second thought, I tested the setting by commentting out the 'require 
valid-user' line completely to see what the browsor gets for other methods,
it is actually a 403 forbidden error instead of a open 200. So i guess I was 
fine with the <limit>GET POST</limit> lines - it only triggers a login 
prompt for GET & POST while leaving the others forbidden. Am I wrong? 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message