[WEB SECURITY] apache issue

Mike Duncan security at randomtask.net
Wed Jun 8 09:16:50 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jay D. Dyson wrote:
> On Tue, 7 Jun 2005, Ivan Ristic wrote:
> 
>>>> <Limit GET>
>>>>    order deny,allow
>>>>    deny from all
>>>> </Limit>
>>>
>>>
>>> This will only reject GET and HEAD requests (HEAD is always implied
>>> when GET is used), allowing all other request methods to proceed.
> 
> 
>     All true.  What I posted was strictly as a basic example.

When asking for help about such specifics, you should really try to give
us all the information and NOT examples. In writing the examples you may
be missing something. There is nothing wrong in pasting the relevant
httpd.conf or .htaccess lines here.

You said above that you would like the .htaccess to take precedance over
the global configuration file, but you use AllowOverride None. You
should set the AllowOverride to something else.

- From the Apache 2.0 manual
(http://httpd.apache.org/docs-2.0/mod/core.html#allowoverride):

When the server finds an .htaccess file (as specified by AccessFileName)
it needs to know which directives declared in that file can override
earlier configuration directives.

Only available in <Directory> sections. AllowOverride is valid only in
<Directory> sections specified without regular expressions, not in
<Location>, <DirectoryMatch> or <Files> sections.

When this directive is set to None, then .htaccess files are completely
ignored. In this case, the server will not even attempt to read
.htaccess files in the filesystem.



> 
> -Jay
> 
>    (    (                                                      _______
>    ))   ))  .-"There's always time for a good cup of coffee"-.  >====<--.
>  C|~~|C|~~| \----- Jay D. Dyson -- jdyson at treachery.net -----/ |    = |-'
>   `--' `--'  `-- Pardon me, but am I on the right planet? --'  `------'
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCpu/COSRBehttuMoRAisZAKCsAzDNcyCIb9DcCOVq+0PoiGx8vgCgvz4q
Dtrsk/4dXSneUqdi53fvhd4=
=B18i
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list