At 14:37 02/10/2002 +0300, netcat wrote: >On Wed, 2 Oct 2002, Alan MacDonald wrote: >[snip] > > I use .htaccess files to control access - will this patch clobber that? > >if the workaround consists of disabling usage of .htaccess files then >implementing it of course will make it impossible to use .htaccess files. >how could it be otherwise?
Not necessarily. A workaround does not by definition mean that it is the solution to a problem - it's a 'work around'. ;) quote 'A local user may exploit a vulnerability in Apache through specially crafted ".htaccess" files'. The vulnerability lies in Apache. A 'fix' which means that you can no longer use .htaccess files would not be, in my mind, a great fix. I am assuming/hoping/praying that the patch works by fixing the flaw in Apache that /allows/ specially crafted .htaccess files to cause an exploit. This would not require the use of AllowOverride None in httpd.conf. I would be happy :) Can someone tell me whether the patch breaks the use of .htaccess files in any way? rgds Alan MacDonald -- Webmaster - aceposition.com [EMAIL PROTECTED] +353 51 855 939 _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
