>Number: 2145 >Category: os-windows >Synopsis: .htaccess will password protect directory but not individual >files if name of file is guessed >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Apr 27 19:20:00 PDT 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3b6 >Environment: Win95. Base release 1.3b6. Installed from installer file. >Description: The win95 release of apache will ask for a login and password if you place a .htaccess file in your desired directory. That works fine. The problem is anyone can guess a filename contained within the directory if they guess the filename like index.html for example.
So in short: http://server.com/protected_dir/ will produce login and password window (works appropriatly) http://server.com/protected_dir/guessedfilename.html will load the file without asking for a password or login. Is there any way to fix this? Please get back to me thanks. >How-To-Repeat: To reproduce on win95 (possibly NT as well) http://server.com/protected_dir/ will produce login and password window (works appropriatly) http://server.com/protected_dir/guessedfilename.html will load the file without asking for a password or login. >Fix: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
