LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-24-2008, 04:59 AM   #1
ThickGit
LQ Newbie
 
Registered: Oct 2008
Posts: 13

Rep: Reputation: 0
Easily bypass .htaccess by using the server IP number.


I am having trouble sorting out .htaccess.

If I enter the normal url like "www.somesite.co.uk/protected_directory" the username and password dialog box appears and works ok.

If I approach the same directory using the server IP and user like this "http://123.123.123.123/~somesite/protected_directory" the dialog box does not appear and access is granted.

This is not because the browser had cached the user/pwd.


The server is running Fedora 5 and virtual hosts.

SElinux is disabled. I have tried putting the .htaccess content in the httpd.conf file under the protected directory entry and a few other things.

Obviously I have something misconfigured because that totally defeats any security offered by .htaccess. Any suggestions or pointers would be greatly appreciated.
 
Old 10-24-2008, 05:30 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Without seeing the httpd.conf and such it suggests to me that you have both a virtual host and standard host pointing the same location with different configurations. I'd suggest putting a "default" virtual host in place above the proper one to catch any other http requests which reach your machine, and remove the non virtual host configs.
 
Old 10-24-2008, 06:33 AM   #3
ThickGit
LQ Newbie
 
Registered: Oct 2008
Posts: 13

Original Poster
Rep: Reputation: 0
Thanks for taking the time to read and reply to my post.

When you say put a "default" VH above the proper one, do you mean simply as the first entry in the VH section of httpd.conf ?


I have pasted a copy of the the fisrt VH below. That ServerName is the same domain as applied to the box.


Quote:
<VirtualHost 123.123.123.123:80>
SuexecUserGroup "#501" "#501"
ServerName domain.co.uk
ServerAlias www.domain.co.uk
DocumentRoot /home/domain/public_html
ErrorLog /home/domain/logs/error_log
CustomLog /home/domain/logs/access_log combined
ScriptAlias /cgi-bin/ /home/domain/cgi-bin/
<Directory /home/domain/public_html>
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
</Directory>
<Directory /home/domain/cgi-bin>
allow from all
</Directory>
</VirtualHost>

*The real domain has been replaced by "domain" of course.

I hope I am going in the right direction here.


When you say remove "non virtual host configs." are you talking about way up near the top of the config file (global settings ?).

There are entries there like this :


Quote:
<Directory "/var/www/html">
...
Options Indexes FollowSymLinks
...
AllowOverride AuthConfig
...
Order allow,deny
Allow from all
</Directory>

Again, I appreciate your time and assistance.
 
Old 10-24-2008, 07:10 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
you should have a documentroot setting outside of the virtual host definition if my assumptions are right. if you don't have one, then the virtual hosts are used in order of definition, so the first would be used. as long as this is not relevant to a sensitive area, you shouldn't be at any risk.
 
Old 10-24-2008, 08:06 AM   #5
ThickGit
LQ Newbie
 
Registered: Oct 2008
Posts: 13

Original Poster
Rep: Reputation: 0
Thanks Chris.

There is a line in httpd.conf like this:
Quote:
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"
Is that what you mean ?

On the assumption that is correct, then it would appear that the server is not at risk. Thanks for putting my mind at rest.

That just leaves my initial concern of how to make .htaccess work even when the protected directory is addressed using the server IP number.

Any thoughts would be great.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
bittorrent port blocked by server- How to bypass? Mustafa^Qasim Linux - Networking 3 07-21-2007 02:24 AM
how to easily make a linux VPN Server ? Xeratul Linux - General 6 02-16-2007 06:43 PM
Is there a way to easily shutdown a remote linux server with a shell script? bdb4269 Programming 7 01-26-2007 05:08 PM
SSH tunneling: bypass (almost) any firewall easily michux Linux - Networking 1 08-23-2006 12:29 PM
What is the best POP3 server that I can easily collect mail from my Windows machine? ExCIA Linux - Networking 1 05-11-2005 11:25 PM


All times are GMT -5. The time now is 01:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration