www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tammy McKean <ta...@synchronis.com>
Subject mod_access/4602: Deny directive not denying access
Date Thu, 17 Jun 1999 22:20:58 GMT

>Number:         4602
>Category:       mod_access
>Synopsis:       Deny directive not denying access
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Jun 17 15:30:00 PDT 1999
>Last-Modified:
>Originator:     tammy@synchronis.com
>Organization:
apache
>Release:        1.3.6
>Environment:
Linux myhost 2.0.36 #1 Thu Jan 14 12:38:58 PST 1999 i686 unknown
>Description:
I have some summaries from newsgroups where this has been posted without successful resolution:

> Hi All:
>
> I run Apache 1.36 on a Slackware 4.0 Linux kernel 2.2.9 and
> virtually host 5 personal sites - just for fun stuff.
>
> I made an entry in the httpd.conf file to deny access to the
> anonymizer.com service that a local hostile hacker was using
> to hide his identity.
>
> Here is my entry with the commented text removed:
>
> <Directory "/usr/local/apache/htdocs">
>     Options Indexes FollowSymLinks
>     AllowOverride None
>     Order allow,deny
>     Allow from all
>     Deny from 209.75.196.
> </Directory>
>
> According to my understanding, this should deny access to
> anyone originating from the anonymizer.com site.
>
> The problem is it doesn't block anything.
>
> Everything else appears to function as advertised.
>
> Is the Apache feature broken?
>
> Best regards,
>
> Brian

Subject:
             Deny Directive Not Working!
        Date:
             Thu, 17 Jun 1999 20:51:42 GMT
       From:
             Tammy <tammy@synchronis.com>
 Organization:
             Cyberverse, Inc.
 Newsgroups:
             comp.infosystems.www.servers.unix




Hi,

I'm implementing the Deny directive like so:

    Order deny,allow
    Deny from .whatever.com 207.171.231.230
    Allow from all

in my httpd.conf, yet access is NOT denied to the specified domain or ip. I
tested this by putting in my own ip and testing from my box via Netscape and
telnet.

I put the Deny in a Directory container and in a Directory container inside a
VirtualHost - still neither  works. This seems like it should be REALLY
SIMPLE... what am I missing here?!

Deny is an Access Handler, I don't reference any other Access Handlers so
nothing should be short-circuiting the call to mod_access.

Any insight GREATLY appreciated (it's always the 'simple' things that kill me).

thanks,
    -tm

--


tammy@synchronis.com

>How-To-Repeat:
Create Deny directives in httpd.conf and restart the server.
Request the denied content from the denied host/ip.
I have repeated on this Linux 5.2 using apache 1.3.4 and 1.3.6.
>Fix:

>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <apbugs@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]




Mime
View raw message