[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] RE: SSI Vuln on cobalt
- Subject: RE: [cobalt-security] RE: SSI Vuln on cobalt
- From: "trez blencowe" <trez@xxxxxxxxxxxx>
- Date: Mon, 22 Apr 2002 10:16:17 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
unsubscribe
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Brett Wright
Sent: Sunday, April 21, 2002 10:55 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] RE: SSI Vuln on cobalt
At 19:43 21/04/02 -0700, you wrote:
> ><Directory /home/sites/>
> >AllowOverride All
> >Options All
> ></Directory>
> >
> >... set, then who do you blame? :o) Set it to
>"AllowOverride None" and all
> >these fancy .htaccess files in /home/sites/wherever
> >will no longer work.
>
>Well.... Not exactly, at least not on my remaining
>RaQ3. I have the following in my access.conf file and
>I still can (and do) use .htaccess files to password
>protect a few user directories..
>
><Directory />
>Options None
>AllowOverride None
>AuthFailDelay 2000000
></Directory>
>
>What I *do* use to stop those files from being
>uploaded in the first place, is this little line in my
>proftpd.conf file..
>
>PathDenyFilter
>"(\\.ftpaccess)|(\\.htaccess)|(\\.forward)$"
>
>Babs
>
Thats quite a nice way of doing it, but that still doesnt stop users from
uploading htaccess.txt and then renaming it on the server using there FTP
client.
It looks almost impossible to stop users doing this, basically it gives
them the same access as what shell would.
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Games - play chess, backgammon, pool and more
>http://games.yahoo.com/
>_______________________________________________
>cobalt-security mailing list
>cobalt-security@xxxxxxxxxxxxxxx
>http://list.cobalt.com/mailman/listinfo/cobalt-security
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security