If someone can overwrite your .htaccess there's a chance they can also view files through the same exploit (possibly). They could then get your FTP login info, and do a lot more damage than just removing password access to an area.
Mike Serj wrote: > Im not exactly sure why that is worse, could you elaborate a little? > Josh > > On Fri, 3 May 2002, Miguel Cruz wrote: > > >>Thus leaving the FTP account's password in view of the httpd, which is >>even worse... >> >>miguel >> >>On Fri, 3 May 2002, serj wrote: >> >>>You could use fopen() to connect to the file via ftp therefore keeping >>>the .htaccess file owned by the user for increased security. >>> >>>Josh Boughner >>> >>>On Fri, 3 May 2002, Mike Eheler wrote: >>> >>> >>>>It's possible, but is it really recommended? Wouldn't the >>>>.htaccess/.htpasswd file have to be owned by the apache user, which >>>>might leave it open to being overwritten by any kind of a >>>>weak/exploitable script? >>>> >>>>Mike >>>> >>>>Josh & Valerie McCormack wrote: >>>> >>>>>I've used the script phtaccess, which I think used the mentioned class. >>>>>Super easy to use. >>>>> >>>>>Josh >>>>> >>>>> >>>>>>On Wed, 1 May 2002, Kelly Meeks wrote: >>>>>> >>>>>> >>>>>>>>Is is possible to use php to admin a password file used by a >>>>>>>>.htaccess file? >>>>>>>> >>>>>>> >>>>>> You should check the File_Passwd class from PEAR. >>>>>> >>>>>> http://chora.php.net/cvs.php/php4/pear/File >>>>>> >>>>>>-- >>>>>>Mika Tuupola http://www.appelsiini.net/~tuupola/ >>>>>> >>>>>> >>>>> >>>> >>>> >>>>-- >>>>PHP General Mailing List (http://www.php.net/) >>>>To unsubscribe, visit: http://www.php.net/unsub.php >>>> >>>> >>>> >>> >>> >> >>-- >>PHP General Mailing List (http://www.php.net/) >>To unsubscribe, visit: http://www.php.net/unsub.php >> >> >> > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
