SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    Confirmed Halfwit
    Join Date
    Oct 1999
    Location
    Vancouver, BC, Canada
    Posts
    983
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Arg. I need some help... I wasn't sure where to ask this, and I know there are some security experts in this forum.

    Does anyone know where there are some good "white paper" reports on the "standard" method of security for a website? Is there any type of comparison material between using .htaccess and a custom system?

    I'm trying to appease an employer who wants to know if their .htaccess protected directories are safe enough. I've got them going to the business owner to try and put a $$ value on the data that is in the directories (reports), and I'm supposed to try and find out what the "internet standard method of security" is supposed to be.

    I basically told them the only real "standard" is .htaccess, and everything else is a custom solution.

    Anybody have any thoughts on this? Where can I find documents and/or papers on the subject?

    As an example, here's a sample link that they are using .htacccess to protect. (http://gridops.bchydro.bc.ca/reports/henri/) How difficult would it be to hack into this? Is it safe to use .htaccess?

    Thanks!
    Last edited by hstraf; Apr 19, 2001 at 23:28.
    - A simple online WYSIWYG editor for HTML code snippets.
    - Managed Web Hosting - $3.95/month (resellers welcome)
    - Why pay more? $8.95 domains & $9.95 SSL certificates!

  2. #2
    Grumpy Mole Man Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,067
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't know the answer to your question, but I know one security hole in .htaccess. If you have a CGI interpreter program such as PHP installed in your web server's cgi-bin directory it can be used to view documents that are in a .htaccess directory without needing the password. I think it's done something like this:

    http://www.someserver.com/cgi-bin/ph.../document.html

    The cracker still needs to know the exact path to the document, and this can be easily avoided b being cautious about what executables go in your cgi bin.

  3. #3
    Confirmed Halfwit
    Join Date
    Oct 1999
    Location
    Vancouver, BC, Canada
    Posts
    983
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Skunk.

    My web host tells me that PHP is installed as a CGI. Does this mean there is a PHP.EXE file in my cgi-bin directory? If so, I can't see anything there.. there are just the regular cgi programs I put there myself..

    Is there some docs on how this exploit works?

    Anybody else have any info on .htaccess or know what would be considered a "standard" for the web industry for security?
    - A simple online WYSIWYG editor for HTML code snippets.
    - Managed Web Hosting - $3.95/month (resellers welcome)
    - Why pay more? $8.95 domains & $9.95 SSL certificates!

  4. #4
    Grumpy Mole Man Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,067
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As I understand it,. this security flaw is only a problem if the PHP executable has been put in the cgi-bin - it is perfectly possible to install PHP as a CGI module without placing it in the cgi-bin, which is what almost all hosts do and eliminates the security problem I mentioned.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •