At 11:50 AM 4/22/2002, you wrote: >At 07:55 PM 4/21/2002, you wrote: >>At 19:43 21/04/02 -0700, you wrote: >>> ><Directory /home/sites/> >>> >AllowOverride All >>> >Options All >>> ></Directory> >>> > >>> >... set, then who do you blame? :o) Set it to >>>"AllowOverride None" and all >>> >these fancy .htaccess files in /home/sites/wherever >>> >will no longer work. >>> >>>Well.... Not exactly, at least not on my remaining >>>RaQ3. I have the following in my access.conf file and >>>I still can (and do) use .htaccess files to password >>>protect a few user directories.. >>> >>><Directory /> >>>Options None >>>AllowOverride None >>>AuthFailDelay 2000000 >>></Directory> >>> >>>What I *do* use to stop those files from being >>>uploaded in the first place, is this little line in my >>>proftpd.conf file.. >>> >>>PathDenyFilter >>>"(\\.ftpaccess)|(\\.htaccess)|(\\.forward)$" >>> >>>Babs >> >> >>Thats quite a nice way of doing it, but that still doesnt stop users from >>uploading htaccess.txt and then renaming it on the server using there FTP >>client. >> >>It looks almost impossible to stop users doing this, basically it gives >>them the same access as what shell would. > >This is a huge security hole... , how do we fix this??? >I call on SUN to patch this hole ASAP!!! >
And just whom do you call on to fix this on all the other types of servers. Don't let anyone on and you won't have the problem. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
