DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=42709>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42709 Summary: .htaccess is viewable by browser after login validation Product: Apache httpd-2 Version: 2.2.3 Platform: Other OS/Version: Linux Status: NEW Severity: major Priority: P5 Component: mod_access AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] ***************** SECURITY FLAW ***************** 1. /etc/httpd.conf prevents the viewing of .ht* files by default with these lines: <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> 2. It works (i.e. prevents viewing) in most instances. 3. HOWEVER, if a user has logged in successfully using .htaccess validation, he is able to view the .htaccess file (or even the .htpasswd file if it is stored in public_html) using a browser. ************************************** Sequence for reproduction of bug ************************************** 1. Create .htaccess with the following contents <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> AuthName "Restricted Access" AuthUserFile /home/mydomain.com/public_html/.htpasswd AuthType Basic <Limit GET PUT POST> order deny,allow deny from all require valid-user satisfy any </Limit> 2. Place .htaccess into /home/mydomain.com/public_html/ 3. Create .htpasswd with a user name and encrypted password, and place it in /home/mydomain.com/public_html/ 4. When accessing http://www.mydomain.com/.htaccess , you will be prompted for a login and password. 5. If you enter an invalid login or click cancel, you will get a Error 403 message. 6. Now, try accessing http://www.mydomain.com/.htaccess again and this time enter a valid login that you've created in .htpasswd. 7. You will see the contents inside the .htaccess 8. If you assess http://www.mydomain.com/.htpasswd , you will also see the contents of the file. 9. This means that a valid user can view the absolute path of where the .htpasswd is stored. And if .htpasswd is placed in public_html, it can also be viewed. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
