Re: [PHP] php/.htaccess/.htpasswd
You could use fopen() to connect to the file via ftp therefore keeping the .htaccess file owned by the user for increased security. Josh Boughner On Fri, 3 May 2002, Mike Eheler wrote: It's possible, but is it really recommended? Wouldn't the .htaccess/.htpasswd file have to be owned by the apache user, which might leave it open to being overwritten by any kind of a weak/exploitable script? Mike Josh Valerie McCormack wrote: I've used the script phtaccess, which I think used the mentioned class. Super easy to use. Josh On Wed, 1 May 2002, Kelly Meeks wrote: Is is possible to use php to admin a password file used by a .htaccess file? You should check the File_Passwd class from PEAR. http://chora.php.net/cvs.php/php4/pear/File -- Mika Tuupola http://www.appelsiini.net/~tuupola/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php/.htaccess/.htpasswd
Im not exactly sure why that is worse, could you elaborate a little? Josh On Fri, 3 May 2002, Miguel Cruz wrote: Thus leaving the FTP account's password in view of the httpd, which is even worse... miguel On Fri, 3 May 2002, serj wrote: You could use fopen() to connect to the file via ftp therefore keeping the .htaccess file owned by the user for increased security. Josh Boughner On Fri, 3 May 2002, Mike Eheler wrote: It's possible, but is it really recommended? Wouldn't the .htaccess/.htpasswd file have to be owned by the apache user, which might leave it open to being overwritten by any kind of a weak/exploitable script? Mike Josh Valerie McCormack wrote: I've used the script phtaccess, which I think used the mentioned class. Super easy to use. Josh On Wed, 1 May 2002, Kelly Meeks wrote: Is is possible to use php to admin a password file used by a .htaccess file? You should check the File_Passwd class from PEAR. http://chora.php.net/cvs.php/php4/pear/File -- Mika Tuupola http://www.appelsiini.net/~tuupola/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php/.htaccess/.htpasswd
Being that the files are owned by their respective users, I would imagine that would make it pretty difficult for the .htaccess file to be overwritten, if someone found a way to overwrite the file couldn't that person overwrite any file owned by the ftp user anyway? also I don't see how someone being able to overwrite the .htaccess file would allow them to grab the ftp password, especially if this is all transmitted over ssl. I apologize, I'm not trying to start a flame war that I'm sure I'll lose. But, I am working on a script that does exactly this and if I'm doing it wrong perhaps I should begin recoding it. josh On Fri, 3 May 2002, Mike Eheler wrote: If someone can overwrite your .htaccess there's a chance they can also view files through the same exploit (possibly). They could then get your FTP login info, and do a lot more damage than just removing password access to an area. Mike Serj wrote: Im not exactly sure why that is worse, could you elaborate a little? Josh On Fri, 3 May 2002, Miguel Cruz wrote: Thus leaving the FTP account's password in view of the httpd, which is even worse... miguel On Fri, 3 May 2002, serj wrote: You could use fopen() to connect to the file via ftp therefore keeping the .htaccess file owned by the user for increased security. Josh Boughner On Fri, 3 May 2002, Mike Eheler wrote: It's possible, but is it really recommended? Wouldn't the .htaccess/.htpasswd file have to be owned by the apache user, which might leave it open to being overwritten by any kind of a weak/exploitable script? Mike Josh Valerie McCormack wrote: I've used the script phtaccess, which I think used the mentioned class. Super easy to use. Josh On Wed, 1 May 2002, Kelly Meeks wrote: Is is possible to use php to admin a password file used by a .htaccess file? You should check the File_Passwd class from PEAR. http://chora.php.net/cvs.php/php4/pear/File -- Mika Tuupola http://www.appelsiini.net/~tuupola/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: php/.htaccess/.htpasswd
The way I designed the script was so that each time they want to save changes to their htaccess file through the script they have to enter their password. So I never have to actually save the password anywhere in the script. On Fri, 3 May 2002, Mike Eheler wrote: The problem is not in them being able to overwrite the .htaccess *and* getting your FTP password.. those are the cons for both solutions we have presented, respectfully. Right now the ideal solution seems to be this: save new .htaccess to a temp file save new .htpasswd to a temp file use PHP's FTP routines to connect to the FTP server with your username/password delete existing .htaccess delete existing .htpasswd upload new .htaccess upload new .htpasswd close connection The biggest problem with this is that you have your FTP password in plain text in the script that performs this. If anyone for any reason is able to take advantage of some kind of exploit that allows them to view the source of that file, you're toast. They get ahold of your FTP password and have free reign on your website. I'm open to suggestions. serj wrote: Being that the files are owned by their respective users, I would imagine that would make it pretty difficult for the .htaccess file to be overwritten, if someone found a way to overwrite the file couldn't that person overwrite any file owned by the ftp user anyway? also I don't see how someone being able to overwrite the .htaccess file would allow them to grab the ftp password, especially if this is all transmitted over ssl. I apologize, I'm not trying to start a flame war that I'm sure I'll lose. But, I am working on a script that does exactly this and if I'm doing it wrong perhaps I should begin recoding it. josh On Fri, 3 May 2002, Mike Eheler wrote: If someone can overwrite your .htaccess there's a chance they can also view files through the same exploit (possibly). They could then get your FTP login info, and do a lot more damage than just removing password access to an area. Mike Serj wrote: Im not exactly sure why that is worse, could you elaborate a little? Josh On Fri, 3 May 2002, Miguel Cruz wrote: Thus leaving the FTP account's password in view of the httpd, which is even worse... miguel On Fri, 3 May 2002, serj wrote: You could use fopen() to connect to the file via ftp therefore keeping the .htaccess file owned by the user for increased security. Josh Boughner On Fri, 3 May 2002, Mike Eheler wrote: It's possible, but is it really recommended? Wouldn't the .htaccess/.htpasswd file have to be owned by the apache user, which might leave it open to being overwritten by any kind of a weak/exploitable script? Mike Josh Valerie McCormack wrote: I've used the script phtaccess, which I think used the mentioned class. Super easy to use. Josh On Wed, 1 May 2002, Kelly Meeks wrote: Is is possible to use php to admin a password file used by a .htaccess file? You should check the File_Passwd class from PEAR. http://chora.php.net/cvs.php/php4/pear/File -- Mika Tuupola http://www.appelsiini.net/~tuupola/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
