----- Original Message -----
From: "Dragon" <[EMAIL PROTECTED]>
To: <users@httpd.apache.org>
Sent: Friday, April 25, 2008 3:56 PM
Subject: Re: [EMAIL PROTECTED] .htaccess for script aliased directories
Danie Qian wrote:
----- Original Message ----- From: "Joshua Slive" <[EMAIL PROTECTED]>
To: <users@httpd.apache.org>; "Danie Qian" <[EMAIL PROTECTED]>
Sent: Friday, April 25, 2008 3:39 PM
Subject: Re: [EMAIL PROTECTED] .htaccess for script aliased directories
On Fri, Apr 25, 2008 at 3:32 PM, Danie Qian <[EMAIL PROTECTED]>
wrote:
<Limit GET POST>
require valid-user
</Limit>
Remove the <Limit GET POST> and </Limit> lines. They are dangerous. See:
http://httpd.apache.org/docs/2.2/mod/core.html#limit
Joshua.
From the above link I cant find anything dangerous except for the fact
that it limits requests to GET,POST methods, about which my users never
complained. Or, did I miss out anything here?
---------------- End original message. ---------------------
No, it does not do what you think.
As you have it in your config, it requires a valid user for only the GET
and POST methods. It ALLOWS all other methods without a valid user.
This opens you up to potential attacks. You want to remove the Limit
directives so ALL methods will require a valid user.
Dragon
I copied the lines from another server and never thought about it in this
way :)
Thanks everyone for pointing it out for me to eliminate a potential security
problem.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
