----- Original Message ----- From: "Dragon" <dragon@xxxxxxxxxxxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx> Sent: Friday, April 25, 2008 3:56 PM Subject: Re: .htaccess for script aliased directories
Danie Qian wrote:----- Original Message ----- From: "Joshua Slive" <joshua@xxxxxxxx> To: <users@xxxxxxxxxxxxxxxx>; "Danie Qian" <daniel@xxxxxxxxxxxxxxxx> Sent: Friday, April 25, 2008 3:39 PM Subject: Re: .htaccess for script aliased directoriesOn Fri, Apr 25, 2008 at 3:32 PM, Danie Qian <daniel@xxxxxxxxxxxxxxxx> wrote:<Limit GET POST> require valid-user </Limit>Remove the <Limit GET POST> and </Limit> lines. They are dangerous. See: http://httpd.apache.org/docs/2.2/mod/core.html#limit Joshua.From the above link I cant find anything dangerous except for the fact that it limits requests to GET,POST methods, about which my users never complained. Or, did I miss out anything here?---------------- End original message. --------------------- No, it does not do what you think.As you have it in your config, it requires a valid user for only the GET and POST methods. It ALLOWS all other methods without a valid user.This opens you up to potential attacks. You want to remove the Limit directives so ALL methods will require a valid user.Dragon
I copied the lines from another server and never thought about it in this way :) Thanks everyone for pointing it out for me to eliminate a potential security problem.
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|