Being that the files are owned by their respective users, I would imagine that would make it pretty difficult for the .htaccess file to be overwritten, if someone found a way to overwrite the file couldn't that person overwrite any file owned by the ftp user anyway? also I don't see how someone being able to overwrite the .htaccess file would allow them to grab the ftp password, especially if this is all transmitted over ssl. I apologize, I'm not trying to start a flame war that I'm sure I'll lose. But, I am working on a script that does exactly this and if I'm doing it wrong perhaps I should begin recoding it.
josh On Fri, 3 May 2002, Mike Eheler wrote: > If someone can overwrite your .htaccess there's a chance they can also > view files through the same exploit (possibly). They could then get your > FTP login info, and do a lot more damage than just removing password > access to an area. > > Mike > > Serj wrote: > > Im not exactly sure why that is worse, could you elaborate a little? > > Josh > > > > On Fri, 3 May 2002, Miguel Cruz wrote: > > > > > >>Thus leaving the FTP account's password in view of the httpd, which is > >>even worse... > >> > >>miguel > >> > >>On Fri, 3 May 2002, serj wrote: > >> > >>>You could use fopen() to connect to the file via ftp therefore keeping > >>>the .htaccess file owned by the user for increased security. > >>> > >>>Josh Boughner > >>> > >>>On Fri, 3 May 2002, Mike Eheler wrote: > >>> > >>> > >>>>It's possible, but is it really recommended? Wouldn't the > >>>>.htaccess/.htpasswd file have to be owned by the apache user, which > >>>>might leave it open to being overwritten by any kind of a > >>>>weak/exploitable script? > >>>> > >>>>Mike > >>>> > >>>>Josh & Valerie McCormack wrote: > >>>> > >>>>>I've used the script phtaccess, which I think used the mentioned class. > >>>>>Super easy to use. > >>>>> > >>>>>Josh > >>>>> > >>>>> > >>>>>>On Wed, 1 May 2002, Kelly Meeks wrote: > >>>>>> > >>>>>> > >>>>>>>>Is is possible to use php to admin a password file used by a > >>>>>>>>.htaccess file? > >>>>>>>> > >>>>>>> > >>>>>> You should check the File_Passwd class from PEAR. > >>>>>> > >>>>>> http://chora.php.net/cvs.php/php4/pear/File > >>>>>> > >>>>>>-- > >>>>>>Mika Tuupola http://www.appelsiini.net/~tuupola/ > >>>>>> > >>>>>> > >>>>> > >>>> > >>>> > >>>>-- > >>>>PHP General Mailing List (http://www.php.net/) > >>>>To unsubscribe, visit: http://www.php.net/unsub.php > >>>> > >>>> > >>>> > >>> > >>> > >> > >>-- > >>PHP General Mailing List (http://www.php.net/) > >>To unsubscribe, visit: http://www.php.net/unsub.php > >> > >> > >> > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
