Home page logo
/

bugtraq logo Bugtraq mailing list archives

Access control on W3C httpd server
From: plord () perrin demon co uk (Peter Lord)
Date: Wed, 30 Apr 1997 19:50:39 +0000


I came accross this problem recently when using the CERN server.  I
couldn't find any referrences to it ... but I guess this *must* be
well known.  Still, better to speak up than to keep quiet.

My server has the following in the config file :-

Protection secret {
        AuthType        Basic
        ServerID        mine
        PasswdFile      /httpd/config/passwd
        GroupFile       /httpd/config/group
        POST-Mask       secret_group
        GET-Mask        secret_group
        PUT-Mask        webmaster
}

Protect /secret/*           secret

Which works fine.  When the client tries to access
http://www.site.co.uk/secret/index.html, for example, the password
box pops up.

However, if the client tries to access
http://www.site.co.uk//secret/index.html (note the double slash), the
server happily serves the document out.

Until I manage to have a dig around the sources, my tempory
workaround is to add :-

Protect //secret/*    secret

Whick seems to work (regardless of how many extra slashes are slotted
in).

BTW, my source tree is the last available from CERN with a couple of
local mods (syslog logging + BROWSE support for AOLPress) - I havn't
touched anying which would effect this.

Comments?

Thanks,

Pete



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault