[Ids-devel] IDS default install leaves admin accessible to everyone

[Scott G. <sga...@nc...>]

John,

I just installed IDS and was in the process of trying to setup some
administative features when I noticed that, following all of your
instructions, I was able to access the admin page without having to put
in a password that I had created with htpasswd command.
I thought that this may be just a problem with my setup or installation,
so I went out to the example pages that you link from the
ids.sourceforge.net page and tried to access the admin pages for some of
those sites... and voila -- I could administer their pages at will!

I found the problem with my installation was that the RH7.0/7.1 Linux
Apache (apache-1.3.19-5.rpm)  installation comes with the httpd.conf
file with the following settings:
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
#<Directory "/var/www/cgi-bin">
<Directory "/home/httpd/cgi-bin">
    AllowOverride None
    Options ExecCGI
    Order allow,deny
    Allow from all
</Directory>


I had to change the AllowOverride to say "AuthConfig" in order for the
.htaccess file in the admin sub-directory to have any affect.
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
#<Directory "/var/www/cgi-bin">
<Directory "/home/httpd/cgi-bin">
    AllowOverride AuthConfig
    Options ExecCGI
    Order allow,deny
    Allow from all
</Directory>


You should add this step to your setup/installation instructions, or
else others are leaving their pages open for hacking.

Otherwise, thanks for such a great program!

Scott Gaskins
sga...@nc...