www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kelsey Bjarnason <kels...@bc.sympatico.ca>
Subject mod_access/4840: Unauthorized users can access protected areas
Date Mon, 09 Aug 1999 19:25:33 GMT

>Number:         4840
>Category:       mod_access
>Synopsis:       Unauthorized users can access protected areas
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Aug  9 12:30:01 PDT 1999
>Last-Modified:
>Originator:     kelseyb@bc.sympatico.ca
>Organization:
apache
>Release:        1.3.4
>Environment:
Win2K RC1/NTFS.  Distributed build, not recompiled.
>Description:
Create a normal protected directory with typical .htaccess settings to validate usernames
and passwords.  Edit the server configuration files to redirect on 401 errors to a public
page on the server.  When the user gets redirected, if they hit the back button on their browser,
they can get into the "protected" page.  Removing the 401 redirection fixes this - but prevents
one from doing a graceful crap-out. :)
>How-To-Repeat:
It's easy to set up; an .htaccess file, a calling page, a "member page" and a page to redirect
to.  I'm not giving a URL because I ain't changing the server back to what amounts to a public
site. :)
>Fix:
I would expect the user to end up at the first page, not the protected page.  That is, if
/members is a protected directory, and he access it from /misc/index.html, going to /members/goodies.html,
he gets redirected to /cheater.html.  On "back" I'd expect him to end up in /misc/index.html
- the calling page, and not be magically granted permission to /members/.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <apbugs@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]




Mime
View raw message