[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Re: Security Alert on MIPS based Cobalts
- Subject: Re: [cobalt-security] Re: Security Alert on MIPS based Cobalts
- From: Malcolm McLeary <mmcleary@xxxxxxx>
- Date: Sun, 08 Oct 2000 19:20:26 +1100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
on 8/10/00 10:39 AM, Malcolm McLeary at mmcleary@xxxxxxx wrote:
> This is really bad!
>
> http://www.domain.com:81/.cobalt/groupList/
>
> presents this page without a password prompt, while
>
> http://www.domain.com:81/.cobalt/sysManage/
>
> prompts for a username and password.
>
> There must be a relatively easy fix to this because my Gateway Microserver
> does not have this problem ... it prompts for a password for both of these
> URLs.
>
> Would a .htaccess file restricting access to admin work?
Yep. My Gateway Microserver has a .htaccess file in the groupList directory
where my Qubes don't. Just add a .htaccess file containing the following
and the problem will be resolved.
# Access file for /usr/admserv/html/.cobalt/groupList/ (admin)
order allow,deny
allow from all
require user admin
Authname Server
Authtype Basic
AuthUserFile /etc/htpasswd
AuthGroupFile /etc/htgroup
It would be prudent to check all the other directories in
/usr/admserv/html/.cobalt/ for missing .htaccess files. Unfortunately
creating a .htaccess at the parent level doesn't work as the error directory
needs to have no restrictions.