Easily bypass .htaccess by using the server IP number.

ThickGit · 10-24-2008, 03:59 AM

I am having trouble sorting out .htaccess.

If I enter the normal url like "www.somesite.co.uk/protected_directory" the username and password dialog box appears and works ok.

If I approach the same directory using the server IP and user like this "http://123.123.123.123/~somesite/protected_directory" the dialog box does not appear and access is granted.

This is not because the browser had cached the user/pwd.

The server is running Fedora 5 and virtual hosts.

SElinux is disabled. I have tried putting the .htaccess content in the httpd.conf file under the protected directory entry and a few other things.

Obviously I have something misconfigured because that totally defeats any security offered by .htaccess. Any suggestions or pointers would be greatly appreciated.

acid_kewpie · 10-24-2008, 04:30 AM

Without seeing the httpd.conf and such it suggests to me that you have both a virtual host and standard host pointing the same location with different configurations. I'd suggest putting a "default" virtual host in place above the proper one to catch any other http requests which reach your machine, and remove the non virtual host configs.

ThickGit · 10-24-2008, 05:33 AM

Thanks for taking the time to read and reply to my post.

When you say put a "default" VH above the proper one, do you mean simply as the first entry in the VH section of httpd.conf ?

I have pasted a copy of the the fisrt VH below. That ServerName is the same domain as applied to the box.

Quote:

<VirtualHost 123.123.123.123:80>
SuexecUserGroup "#501" "#501"
ServerName domain.co.uk
ServerAlias www.domain.co.uk
DocumentRoot /home/domain/public_html
ErrorLog /home/domain/logs/error_log
CustomLog /home/domain/logs/access_log combined
ScriptAlias /cgi-bin/ /home/domain/cgi-bin/
<Directory /home/domain/public_html>
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
</Directory>
<Directory /home/domain/cgi-bin>
allow from all
</Directory>
</VirtualHost>

*The real domain has been replaced by "domain" of course.

I hope I am going in the right direction here.

When you say remove "non virtual host configs." are you talking about way up near the top of the config file (global settings ?).

There are entries there like this :

Quote:

<Directory "/var/www/html">
...
Options Indexes FollowSymLinks
...
AllowOverride AuthConfig
...
Order allow,deny
Allow from all
</Directory>

Again, I appreciate your time and assistance.

acid_kewpie · 10-24-2008, 06:10 AM

you should have a documentroot setting outside of the virtual host definition if my assumptions are right. if you don't have one, then the virtual hosts are used in order of definition, so the first would be used. as long as this is not relevant to a sensitive area, you shouldn't be at any risk.

ThickGit · 10-24-2008, 07:06 AM

Thanks Chris.

There is a line in httpd.conf like this:

Quote:

# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"

Is that what you mean ?

On the assumption that is correct, then it would appear that the server is not at risk. Thanks for putting my mind at rest.

That just leaves my initial concern of how to make .htaccess work even when the protected directory is addressed using the server IP number.

Any thoughts would be great.