Home page logo

basics logo Security Basics mailing list archives

Re: Apache AuthBasic
From: Creed Erickson <creed () mac com>
Date: Fri, 12 Dec 2003 16:36:23 -0800

The biggest concern is local .htaccess files.

1) Be sure to disallow overrides from a local .htaccess file. i.e., IF someone were to get write access, you want to disallow them from changing access policy by creating or editing a local .htaccess file. E.G.:
        <Directory /mydir>
               AllowOverride None

2) If you are using a local .htaccess file, be sure it's not writable by whatever user the httpd server runs as.

3) Make sure you disallow inspection of .htaccess.  E.G.:
    <Files ~ "^\.ht">
        Order allow,deny
        Deny from all
        Satisfy All

On Friday, December 12, 2003, at 07:46  AM, Jon Mark Allen wrote:

I have a website with one particular folder I want to secure.

I have setup SSL and Apache AuthBasic for that folder and all subfiles.

My question is: does anyone know of any vulnerabilities or ways to crack/circumvent AuthBasic?

So far, the only method I've found of breaking authBasic is to sniff the traffic to lift the username/password, but I've tested that with the SSL and the username/password combo is passed after SSL has already been established.

It is very important that this folder be as secure as I can make it. Obviously, just being available on the web at all reduces the overall security significantly, but I don't have a choice there. :-)

Thanks for your help.

Jon Mark

----------------------------------------------------------------------- ---- ----------------------------------------------------------------------- -----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]