>Number: 4840 >Category: mod_access >Synopsis: Unauthorized users can access protected areas >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Aug 9 12:30:01 PDT 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.4 >Environment: Win2K RC1/NTFS. Distributed build, not recompiled. >Description: Create a normal protected directory with typical .htaccess settings to validate usernames and passwords. Edit the server configuration files to redirect on 401 errors to a public page on the server. When the user gets redirected, if they hit the back button on their browser, they can get into the "protected" page. Removing the 401 redirection fixes this - but prevents one from doing a graceful crap-out. :) >How-To-Repeat: It's easy to set up; an .htaccess file, a calling page, a "member page" and a page to redirect to. I'm not giving a URL because I ain't changing the server back to what amounts to a public site. :) >Fix: I would expect the user to end up at the first page, not the protected page. That is, if /members is a protected directory, and he access it from /misc/index.html, going to /members/goodies.html, he gets redirected to /cheater.html. On "back" I'd expect him to end up in /misc/index.html - the calling page, and not be magically granted permission to /members/. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include <[EMAIL PROTECTED]> in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
