You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by David H <go...@yahoo.com> on 2004/03/14 04:26:13 UTC
[users@httpd] Dav security problem
Hi all,
I have seted up apache 2.0.48 with mod_dav and
mod_php. Everything is working fine but I have this
security problem... here is my configuration under
ssl.conf:
Alias /demo /home/demo/docs
<Location /demo>
Dav On
ForceType text/plain
AllowOverride None
Options None
AuthType Basic
AuthName Demo
AuthUserFile /web/www/restriction/demo
<LimitExcept GET POST OPTIONS>
require user david
</LimitExcept>
</Location>
It did asked me for login name and password when I
connect with dav mapping in windows, but when I make
and directory under demo like example01 and have a
html file called test.php. Now on my browser I type
https://www.mysite.com/demo/example01/test.php I see
all the code. I am not being ask for password at all.
Do anyone know what is wrong?
Thanks,
David
__________________________________
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
http://mail.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dav security problem
Posted by David H <go...@yahoo.com>.
Joshua,
It works great thanks for the pointer.
Dave
--- Joshua Slive <jo...@slive.ca> wrote:
>
> On Sat, 13 Mar 2004, David H wrote:
>
> > Hi Saqib,
> >
> > Thanks for the advise. Virtual Host may not solve
> my
> > problem, people still able to get in. My question
> is
> > why am I not being ask for login or deny access
> under
> > normal https and Dav did ask for login?
>
> > > > <LimitExcept GET POST OPTIONS>
> > > > require user david
> > > > </LimitExcept>
>
> Because you have explicitly excluded "GET" from
> requiring authentication.
> Since GET is the method used for ordinary web
> browsers, they don't need to
> authenticate.
>
> Remove the <LimitExcept ...> and </LimitExcept>
> lines if you want to
> restrict all access.
>
> Joshua.
>
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
>
__________________________________
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
http://mail.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dav security problem
Posted by Joshua Slive <jo...@slive.ca>.
On Sat, 13 Mar 2004, David H wrote:
> Hi Saqib,
>
> Thanks for the advise. Virtual Host may not solve my
> problem, people still able to get in. My question is
> why am I not being ask for login or deny access under
> normal https and Dav did ask for login?
> > > <LimitExcept GET POST OPTIONS>
> > > require user david
> > > </LimitExcept>
Because you have explicitly excluded "GET" from requiring authentication.
Since GET is the method used for ordinary web browsers, they don't need to
authenticate.
Remove the <LimitExcept ...> and </LimitExcept> lines if you want to
restrict all access.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dav security problem
Posted by David H <go...@yahoo.com>.
Hi Saqib,
Thanks for the advise. Virtual Host may not solve my
problem, people still able to get in. My question is
why am I not being ask for login or deny access under
normal https and Dav did ask for login?
Thanks,
Dave
--- Saqib Ali <sa...@seagate.com> wrote:
> ForceType text/plain
>
> is your problem. You are forcing everything to text
> type. You should
> remove that.
>
> If you want to access PHP files using DAV, you need
> to set a seperat
> VirtualHost See
> http://www.webdav.org/mod_dav/install.html for more
> info.
>
> In Peace,
> Saqib Ali
> -------------
> http://validate.sf.net <---- (X)HTML / DocBook XML
> Validator and Transformer
>
>
> On Sat, 13 Mar 2004, David H wrote:
>
> > Hi all,
> >
> > I have seted up apache 2.0.48 with mod_dav and
> > mod_php. Everything is working fine but I have
> this
> > security problem... here is my configuration under
> > ssl.conf:
> >
> >
> > Alias /demo /home/demo/docs
> > <Location /demo>
> >
> > Dav On
> >
> > ForceType text/plain
> > AllowOverride None
> > Options None
> >
> > AuthType Basic
> > AuthName Demo
> > AuthUserFile /web/www/restriction/demo
> >
> > <LimitExcept GET POST OPTIONS>
> > require user david
> > </LimitExcept>
> > </Location>
> >
> > It did asked me for login name and password when I
> > connect with dav mapping in windows, but when I
> make
> > and directory under demo like example01 and have a
> > html file called test.php. Now on my browser I
> type
> > https://www.mysite.com/demo/example01/test.php I
> see
> > all the code. I am not being ask for password at
> all.
> > Do anyone know what is wrong?
> >
> > Thanks,
> > David
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Mail - More reliable, more storage, less
> spam
> > http://mail.yahoo.com
> >
> >
>
---------------------------------------------------------------------
> > The official User-To-User support forum of the
> Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html>
> for more info.
> > To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
> > " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail:
> users-help@httpd.apache.org
> >
> >
>
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
>
__________________________________
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
http://mail.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dav security problem
Posted by Saqib Ali <sa...@seagate.com>.
ForceType text/plain
is your problem. You are forcing everything to text type. You should
remove that.
If you want to access PHP files using DAV, you need to set a seperat
VirtualHost See http://www.webdav.org/mod_dav/install.html for more info.
In Peace,
Saqib Ali
-------------
http://validate.sf.net <---- (X)HTML / DocBook XML Validator and Transformer
On Sat, 13 Mar 2004, David H wrote:
> Hi all,
>
> I have seted up apache 2.0.48 with mod_dav and
> mod_php. Everything is working fine but I have this
> security problem... here is my configuration under
> ssl.conf:
>
>
> Alias /demo /home/demo/docs
> <Location /demo>
>
> Dav On
>
> ForceType text/plain
> AllowOverride None
> Options None
>
> AuthType Basic
> AuthName Demo
> AuthUserFile /web/www/restriction/demo
>
> <LimitExcept GET POST OPTIONS>
> require user david
> </LimitExcept>
> </Location>
>
> It did asked me for login name and password when I
> connect with dav mapping in windows, but when I make
> and directory under demo like example01 and have a
> html file called test.php. Now on my browser I type
> https://www.mysite.com/demo/example01/test.php I see
> all the code. I am not being ask for password at all.
> Do anyone know what is wrong?
>
> Thanks,
> David
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - More reliable, more storage, less spam
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org