Arg. I need some help... I wasn't sure where to ask this, and I know there are some security experts in this forum.
Does anyone know where there are some good "white paper" reports on the "standard" method of security for a website? Is there any type of comparison material between using .htaccess and a custom system?
I'm trying to appease an employer who wants to know if their .htaccess protected directories are safe enough. I've got them going to the business owner to try and put a $$ value on the data that is in the directories (reports), and I'm supposed to try and find out what the "internet standard method of security" is supposed to be.
I basically told them the only real "standard" is .htaccess, and everything else is a custom solution.
Anybody have any thoughts on this? Where can I find documents and/or papers on the subject?
As an example, here's a sample link that they are using .htacccess to protect. (http://gridops.bchydro.bc.ca/reports/henri/) How difficult would it be to hack into this? Is it safe to use .htaccess?
I don't know the answer to your question, but I know one security hole in .htaccess. If you have a CGI interpreter program such as PHP installed in your web server's cgi-bin directory it can be used to view documents that are in a .htaccess directory without needing the password. I think it's done something like this:
The cracker still needs to know the exact path to the document, and this can be easily avoided b being cautious about what executables go in your cgi bin.
My web host tells me that PHP is installed as a CGI. Does this mean there is a PHP.EXE file in my cgi-bin directory? If so, I can't see anything there.. there are just the regular cgi programs I put there myself..
Is there some docs on how this exploit works?
Anybody else have any info on .htaccess or know what would be considered a "standard" for the web industry for security?
As I understand it,. this security flaw is only a problem if the PHP executable has been put in the cgi-bin - it is perfectly possible to install PHP as a CGI module without placing it in the cgi-bin, which is what almost all hosts do and eliminates the security problem I mentioned.