Re: [users@httpd] .htaccess for script aliased directories

Fri, 25 Apr 2008 13:31:44 -0700
----- Original Message ----- From: "Danie Qian" <[EMAIL PROTECTED]> 
To: <users@httpd.apache.org>
Sent: Friday, April 25, 2008 4:16 PM
Subject: Re: [EMAIL PROTECTED] .htaccess for script aliased directories
----- Original Message ----- From: "Dragon" <[EMAIL PROTECTED]> 
To: <users@httpd.apache.org>
Sent: Friday, April 25, 2008 3:56 PM
Subject: Re: [EMAIL PROTECTED] .htaccess for script aliased directories



Danie Qian wrote:


----- Original Message ----- From: "Joshua Slive" <[EMAIL PROTECTED]>
To: <users@httpd.apache.org>; "Danie Qian" <[EMAIL PROTECTED]>
Sent: Friday, April 25, 2008 3:39 PM
Subject: Re: [EMAIL PROTECTED] .htaccess for script aliased directories
On Fri, Apr 25, 2008 at 3:32 PM, Danie Qian <[EMAIL PROTECTED]> wrote: 


        <Limit GET POST>
                require valid-user
        </Limit>


Remove the <Limit GET POST> and </Limit> lines. They are dangerous. See:
http://httpd.apache.org/docs/2.2/mod/core.html#limit

Joshua.
From the above link I cant find anything dangerous except for the fact that it limits requests to GET,POST methods, about which my users never complained. Or, did I miss out anything here? 
---------------- End original message. ---------------------


No, it does not do what you think.
As you have it in your config, it requires a valid user for only the GET and POST methods. It ALLOWS all other methods without a valid user.
This opens you up to potential attacks. You want to remove the Limit directives so ALL methods will require a valid user. 


Dragon
I copied the lines from another server and never thought about it in this way :) Thanks everyone for pointing it out for me to eliminate a potential security problem.
On second thought, I tested the setting by commentting out the 'require valid-user' line completely to see what the browsor gets for other methods, it is actually a 403 forbidden error instead of a open 200. So i guess I was fine with the <limit>GET POST</limit> lines - it only triggers a login prompt for GET & POST while leaving the others forbidden. Am I wrong? 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to