RE: apache + .htpasswd - bypass pwd check

From: Golden_Eternity (bhodi_jabir@yahoo.com)
Date: 04/25/02 

From: "Golden_Eternity" <bhodi_jabir@yahoo.com>
To: "Hallberg Tom" <tom.hallberg@rfv.sfa.se>, <bugtraq@securityfocus.com>
Date: Thu, 25 Apr 2002 09:17:12 -0700

You need to turn off FollowSymLinks in the */public_html/ directories.

> -----Original Message-----
> From: Hallberg Tom [mailto:tom.hallberg@rfv.sfa.se]
> Sent: Thursday, April 25, 2002 12:45 AM
> To: bugtraq@securityfocus.com
> Cc: vuln-dev@security-focus.com
> Subject: apache + .htpasswd - bypass pwd check
>
>
> Hi
>
> yesterday I managed to bypass the pwd check when using .htpasswd.
> The problem
> now is that Im not sure how to secure it.
>
> Okej let say that user ivan have protected his
> /home/ivan/public_html/topsecret
> directory. And on the samer server we have the user johan, from
> his public_html
> directory we make an symlink ln -s /home/ivan/public_html/topsecret test
> okej so then johan tries http://www.hostname.whatever/~johan/test
> he will end up in ivan' s topsecret directory..
>
> So what have I missed in my httpd.conf or something else? :)
>
> thanx
> /Tom
>