>Number: 867 >Category: config >Synopsis: satisfy tag in .htaccess allows access from all >Confidential: no >Severity: critical >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue Jul 15 10:00:01 1997 >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.0-1.2.1 >Environment: SunOS r2d2 5.5.1 Generic_103640-08 sun4m sparc / gcc 2.7.2.2.f.2 >Description: Given the following .htaccess file, when "satisfy any" is added after <Limit POST GET>, all sites gain access to the directory... (AccessOverride is set to All in access.conf) Basically "satisfy any" does not work... ---- AuthUserFile /usr/local/etc/httpd/conf/passwd AuthName [machine-id] AuthType Basic
<Limit POST GET> order deny,allow deny from all allow from [site1] require user [user1] [user2] </Limit> >How-To-Repeat: duplicate the above .htaccess file replacing [variable] with appropriate data... >Fix: fix "satisfy any" to work as the documentation suggest >Audit-Trail: >Unformatted:
