Re: .htaccess for script aliased directories

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 
----- Original Message ----- From: "Danie Qian" <daniel@xxxxxxxxxxxxxxxx> 
To: <users@xxxxxxxxxxxxxxxx>
Sent: Friday, April 25, 2008 4:16 PM
Subject: Re:  .htaccess for script aliased directories
----- Original Message ----- From: "Dragon" <dragon@xxxxxxxxxxxxxxxxxx> 
To: <users@xxxxxxxxxxxxxxxx>
Sent: Friday, April 25, 2008 3:56 PM
Subject: Re:  .htaccess for script aliased directories



Danie Qian wrote:


----- Original Message ----- From: "Joshua Slive" <joshua@xxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx>; "Danie Qian" <daniel@xxxxxxxxxxxxxxxx>
Sent: Friday, April 25, 2008 3:39 PM
Subject: Re:  .htaccess for script aliased directories
On Fri, Apr 25, 2008 at 3:32 PM, Danie Qian <daniel@xxxxxxxxxxxxxxxx> wrote: 


        <Limit GET POST>
                require valid-user
        </Limit>


Remove the <Limit GET POST> and </Limit> lines. They are dangerous. See:
http://httpd.apache.org/docs/2.2/mod/core.html#limit

Joshua.
From the above link I cant find anything dangerous except for the fact that it limits requests to GET,POST methods, about which my users never complained. Or, did I miss out anything here? 
---------------- End original message. ---------------------


No, it does not do what you think.
As you have it in your config, it requires a valid user for only the GET and POST methods. It ALLOWS all other methods without a valid user.
This opens you up to potential attacks. You want to remove the Limit directives so ALL methods will require a valid user. 


Dragon
I copied the lines from another server and never thought about it in this way :) Thanks everyone for pointing it out for me to eliminate a potential security problem.
On second thought, I tested the setting by commentting out the 'require valid-user' line completely to see what the browsor gets for other methods, it is actually a 403 forbidden error instead of a open 200. So i guess I was fine with the <limit>GET POST</limit> lines - it only triggers a login prompt for GET & POST while leaving the others forbidden. Am I wrong? 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux