Re: apache + .htpasswd - bypass pwd check
From: Jose Nazario (jose@monkey.org)Date: 04/25/02
- Previous message: Anibal Ambertin: "nobody suid shell (kind of relationship with the ld-2.2.4 thread...)"
- In reply to: Hallberg Tom: "apache + .htpasswd - bypass pwd check"
- Next in thread: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
- Reply: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Apr 2002 12:19:45 -0400 (EDT) From: Jose Nazario <jose@monkey.org> To: Hallberg Tom <tom.hallberg@rfv.sfa.se>
On 25 Apr 2002, Hallberg Tom wrote:
>
> Okej let say that user ivan have protected his
> /home/ivan/public_html/topsecret directory. And on the samer server we
> have the user johan, from his public_html directory we make an symlink
> ln -s /home/ivan/public_html/topsecret test okej so then johan tries
> http://www.hostname.whatever/~johan/test he will end up in ivan' s
> topsecret directory..
old news:
http://www.humanfactor.com/cgi-bin/cgi-delegate/apache-ML/nh/1997/May/0397.html
fix:
http://www.freebsddiary.org/protected.php
summary:
Options -FollowSymLinks +SymLinksIfOwnerMatch or something similar
sorry, my apache is a bit rusty. however, its a known issue and should be
configurable around.
___________________________
jose nazario, ph.d. jose@monkey.org
http://www.monkey.org/~jose/
- Previous message: Anibal Ambertin: "nobody suid shell (kind of relationship with the ld-2.2.4 thread...)"
- In reply to: Hallberg Tom: "apache + .htpasswd - bypass pwd check"
- Next in thread: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
- Reply: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
