* On 2001-09-09 at 08:44,
William A. Rowe, Jr. <[EMAIL PROTECTED]> excited the electrons to say:
>
> A vhost user creates an .htpasswd file containing;
> me:K<*@MFHE948!
> root:K<*@MFHE948!
> admin:K<*@MFHE948!
>
> Now that user can 'pretend' to be root, accessing root's files (provided they
> were not secured) in spite of the fact that another vhost user believed that
> file was protected by 'their' .htpasswd file (with the same user list, and
> different vhosts.)
I am not getting this, Bill. If the vhost user is able to control
the vhost configuration, you cannot block him out anyway; he can
always supply a different Require directive to let him do what he
wants. Unless you are suggesting that the Require is in the
.htaccess file, and everything else is in httpd.conf, and the
intruder can modify the latter but not the former..
I just do not see this scenario as being any less secure than
'require valid-user'.
What am I missing?
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"All right everyone! Step away from the glowing hamburger!"
