apache + .htpasswd - bypass pwd check
From: Hallberg Tom (tom.hallberg@rfv.sfa.se)Date: 04/25/02
- Previous message: Kayne Ian (Softlab): "Cisco response to Cisco VPN Client under XP"
- Next in thread: Golden_Eternity: "RE: apache + .htpasswd - bypass pwd check"
- Reply: Golden_Eternity: "RE: apache + .htpasswd - bypass pwd check"
- Reply: Jose Nazario: "Re: apache + .htpasswd - bypass pwd check"
- Reply: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: bugtraq@securityfocus.com From: "Hallberg Tom" <tom.hallberg@rfv.sfa.se> Date: 25 Apr 2002 09:45:00 +0200
Hi
yesterday I managed to bypass the pwd check when using .htpasswd. The problem
now is that Im not sure how to secure it.
Okej let say that user ivan have protected his /home/ivan/public_html/topsecret
directory. And on the samer server we have the user johan, from his public_html
directory we make an symlink ln -s /home/ivan/public_html/topsecret test
okej so then johan tries http://www.hostname.whatever/~johan/test
he will end up in ivan' s topsecret directory..
So what have I missed in my httpd.conf or something else? :)
thanx
/Tom
- Previous message: Kayne Ian (Softlab): "Cisco response to Cisco VPN Client under XP"
- Next in thread: Golden_Eternity: "RE: apache + .htpasswd - bypass pwd check"
- Reply: Golden_Eternity: "RE: apache + .htpasswd - bypass pwd check"
- Reply: Jose Nazario: "Re: apache + .htpasswd - bypass pwd check"
- Reply: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
