Package: apache2.2-common
Version: 2.2.9-10+lenny6
Severity: important
Tags: patch
The apache2.conf contains
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
If in some other part of the configuration file (e.g.
inside some virtual host configuration) the
AuthType, ... Required ... directives *and* "Satisfy any"
is used, it seems to apply to the above mentioned <Files>...
too. Thus *any* authenticated user may access the .ht* files.
I consider this as a serious security issue.
Adding "Satisfy all" to the above block would solve this and
should not harm otherwise.
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100301132012.20935.10811.report...@pc67.site
