At 07:55 PM 4/21/2002, you wrote:
At 19:43 21/04/02 -0700, you wrote:><Directory /home/sites/> >AllowOverride All >Options All ></Directory> > >... set, then who do you blame? :o) Set it to "AllowOverride None" and all >these fancy .htaccess files in /home/sites/wherever >will no longer work. Well.... Not exactly, at least not on my remaining RaQ3. I have the following in my access.conf file and I still can (and do) use .htaccess files to password protect a few user directories.. <Directory /> Options None AllowOverride None AuthFailDelay 2000000 </Directory> What I *do* use to stop those files from being uploaded in the first place, is this little line in my proftpd.conf file.. PathDenyFilter "(\\.ftpaccess)|(\\.htaccess)|(\\.forward)$" BabsThats quite a nice way of doing it, but that still doesnt stop users from uploading htaccess.txt and then renaming it on the server using there FTP client.It looks almost impossible to stop users doing this, basically it gives them the same access as what shell would.
This is a huge security hole... , how do we fix this??? I call on SUN to patch this hole ASAP!!!
__________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ _______________________________________________ cobalt-security mailing list cobalt-security@xxxxxxxxxxxxxxx http://list.cobalt.com/mailman/listinfo/cobalt-security_______________________________________________ cobalt-security mailing list cobalt-security@xxxxxxxxxxxxxxx http://list.cobalt.com/mailman/listinfo/cobalt-security