Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#2085 virtualmin protected folders

1.200
closed
Jamie Cameron
5
2005-05-19
2005-05-19
Ken Jay
No

when you create a virtualmin protected folder
the .passwd file is created as

-rw-r--r-- 1 kentest kentest 140 May 19
15:40 .htaccess
-rw-r--r-- 1 kentest kentest 33 May 19 15:40
htpasswd

i believe someones missed out a (dot) this leaves the
contents of the htpasswd file readable in a webbrowser
on newly created virtual sites

kentest:LTQOLa4rJYPe.

i have fixed this temporarily by making a default
index.html in the stats folder saying that no stats have
been generated yet.

Discussion

  • Martin Mewes
    Martin Mewes
    2005-05-19

    Logged In: YES
    user_id=288773

    Uuups, and in addition the .htpasswd-file should be created
    outside the directory so that it cannot be reached by
    Web-Browsers but by the Web-Deamon of the targeted server.

    Example:

    /path/to/vserver/www/.htaccess
    /path/to/vserver/.htpasswd

    As both the vserver/www and vserver are owned by the same
    user (out of my brain) it should be easy to move that file
    out of the way.

    Even if the first line of .htaccess unlashes the exact
    position of .htpasswd an attacker will not be able to reach
    .htpasswd unless the web-server itself is broken.

    kind regards

    Martin Mewes
    Webmin-Translation-Team

     
  • Jamie Cameron
    Jamie Cameron
    2005-05-19

    Logged In: YES
    user_id=129364

    Good point ..
    In the next Virtualmin release, the .htaccess file with have
    a directive like :
    <Files htpasswd>
    deny from all
    </Files>
    to hide the password file.

     
  • Jamie Cameron
    Jamie Cameron
    2005-05-19

    • status: open --> closed