Danie Qian wrote:

----- Original Message ----- From: "Joshua Slive" <[EMAIL PROTECTED]>
To: <users@httpd.apache.org>; "Danie Qian" <[EMAIL PROTECTED]>
Sent: Friday, April 25, 2008 3:39 PM
Subject: Re: [EMAIL PROTECTED] .htaccess for script aliased directories


On Fri, Apr 25, 2008 at 3:32 PM, Danie Qian <[EMAIL PROTECTED]> wrote:

        <Limit GET POST>
                require valid-user
        </Limit>

Remove the <Limit GET POST> and </Limit> lines. They are dangerous. See:
http://httpd.apache.org/docs/2.2/mod/core.html#limit

Joshua.

From the above link I cant find anything dangerous except for the fact that it limits requests to GET,POST methods, about which my users never complained. Or, did I miss out anything here?
---------------- End original message. ---------------------


No, it does not do what you think.

As you have it in your config, it requires a valid user for only the GET and POST methods. It ALLOWS all other methods without a valid user.


This opens you up to potential attacks. You want to remove the Limit directives so ALL methods will require a valid user.


Dragon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to