Hi,

I'm new to Apache and use version 2.2.4.

Does someone know what's wrong with this basic authentification:

Folder sub1 and subfolders access must be limited to user Pingu :
C:/Apache2/myvirtualhost/archive/sub1/sub2/sub3

There is a .htaccess file in folder sub1, with the content:

AuthType Basic
AuthName "Poorly secured area"
AuthUserFile /Apache2/myvirtualhost/pswd/users
Require user Pingu

File "C:/Apache2/myvirtualhost/pswd/users" has content like this :
Pingu:HiSpAsSwOrd

Strangely, I can download the files in folder sub3 wihtout
authentification.
There is no error in the log file, but the authentification window
does not display. It is like if the Pingu username was found and the
"Require user" condition matched without asking any password. How to
make the username and password be asked ?

Thanks for any .

NB.
- My version of Apache 2.2.4 turns on Windows XP.
- I wonder if the AuthUserFile string is transmitted on the network
and if I should rather use a path relative to the server root,
using an Alias, in order to hide the password file path to bad guys.

geometris@fastmail.fm wrote in news:1178536630.433530.303600
@y80g2000hsf.googlegroups.com:

> Hi,
>
> I'm new to Apache and use version 2.2.4.
>
> Does someone know what's wrong with this basic authentification:
>
> Folder sub1 and subfolders access must be limited to user Pingu :
> C:/Apache2/myvirtualhost/archive/sub1/sub2/sub3
>
> There is a .htaccess file in folder sub1, with the content:
>
> AuthType Basic
> AuthName "Poorly secured area"
> AuthUserFile /Apache2/myvirtualhost/pswd/users
> Require user Pingu
>
> File "C:/Apache2/myvirtualhost/pswd/users" has content like this :
> Pingu:HiSpAsSwOrd
>
> Strangely, I can download the files in folder sub3 wihtout
> authentification.
> There is no error in the log file, but the authentification window
> does not display. It is like if the Pingu username was found and the
> "Require user" condition matched without asking any password. How to
> make the username and password be asked ?
>
> Thanks for any .
>
> NB.
> - My version of Apache 2.2.4 turns on Windows XP.
> - I wonder if the AuthUserFile string is transmitted on the network
> and if I should rather use a path relative to the server root,
> using an Alias, in order to hide the password file path to bad guys.
>
>

This problem is usually:

AllowOverride NONE





--

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

On May 7, 1:11 pm, Mark <mtaylor*@*lrim.com> wrote:
> geomet...@fastmail.fm wrote in news:1178536630.433530.303600
> @y80g2000hsf.googlegroups.com:
>
>
>
> > Hi,
>
> > I'm new to Apache and use version 2.2.4.
>
> > Does someone know what's wrong with this basic authentification:
>
> > Folder sub1 and subfolders access must be limited to user Pingu :
> > C:/Apache2/myvirtualhost/archive/sub1/sub2/sub3
>
> > There is a .htaccess file in folder sub1, with the content:
>
> > AuthType Basic
> > AuthName "Poorly secured area"
> > AuthUserFile /Apache2/myvirtualhost/pswd/users
> > Require user Pingu
>
> > File "C:/Apache2/myvirtualhost/pswd/users" has content like this :
> > Pingu:HiSpAsSwOrd
>
> > Strangely, I can download the files in folder sub3 wihtout
> > authentification.
> > There is no error in the log file, but the authentification window
> > does not display. It is like if the Pingu username was found and the
> > "Require user" condition matched without asking any password. How to
> > make the username and password be asked ?
>
> > Thanks for any .
>
> > NB.
> > - My version of Apache 2.2.4 turns on Windows XP.
> > - I wonder if the AuthUserFile string is transmitted on the network
> > and if I should rather use a path relative to the server root,
> > using an Alias, in order to hide the password file path to bad guys.
>
> This problem is usually:
>
> AllowOverride NONE
>
> --
>
> ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----http://www.newsfeeds.comThe #1 Newsgroup Service in the World! 120,000+ Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption =----

as mark says try adding AllowOverride All to the list rules.
also you must create your user:pass string using htpasswd or manually
using md5(pass) you will find the htpasswd prog in apache/bin
htpasswd -c filename Pingu
>__type password
use an absolute path reference for the auth file,
C:/Apache2/myvirtualhost/archive/sub1/sub2/sub3
not
/Apache2/myvirtualhost/archive/sub1/sub2/sub3
exactly how can the contents be downloaded, if you are worried about
security then use a
<Directory C:/Apache2/myvirtualhost/archive/sub1/sub2/sub3>
auth stuff here
</Directory>
stanza in the main httpd.conf file, tuirn off .htaccess which is
better for a few different reasons, and dont use "basic auth" which
transmits the base64(user:pass) for each request.

Thank you Mark and shimmishack.

Stangely, there is no "AllowOverride Node" directive in the httpd.conf
file. I'll however try what you said.

In the book about Apache from Ben and Peter Laurie (O'Reilly), it is
told that passwords are not encoded with Apache's for Win32. I
observed that the htpasswd now exists for Windows. Is password
encoding now obligatory or just advised? I wanted to test
authentification as simply as possible...
I'm aware that digest authentification and encoded passwords are
highly recommended for my site's final version. But can I not first
test authentification without encoding the passwords?

I also wonder if it would not be more secure to choose AllowOverride
AuthConfig rather than AllowOverride All.

Last but not least: should I set in the .htaccess file the
AllowOverride directive to None to prevent a user putting his
own .htaccess files in the subfolders to which he can access? I don't
want the user able to upload files nor to add himself +ExecCGI or
other options into .htaccess files.
(Told another way, if there a risk that a user having access to sub1
can put himself a .htaccess file in sub1/sub2/sub3 that overrides
the .htaccess file permissions in sub1 ?)

I know that using the config file rather than .htaccess file has many
advantages, but I don't plan to have hundreds of users at the
beginning and their own folders are created dynamically. (Never
created if a user renounce to use his account.) The .htaccess file is
created just after the user folder.

> as mark says try adding AllowOverride All to the list rules.
> also you must create your user:pass string using htpasswd or manually
> using md5(pass) you will find the htpasswd prog in apache/bin
> htpasswd -c filename Pingu>__type password
>
> use an absolute path reference for the auth file,
> C:/Apache2/myvirtualhost/archive/sub1/sub2/sub3
> not
> /Apache2/myvirtualhost/archive/sub1/sub2/sub3
> exactly how can the contents be downloaded, if you are worried about
> security then use a
> <Directory C:/Apache2/myvirtualhost/archive/sub1/sub2/sub3>
> auth stuff here
> </Directory>
> stanza in the main httpd.conf file, tuirn off .htaccess which is
> better for a few different reasons, and dont use "basic auth" which
> transmits the base64(user:pass) for each request.- Masquer le texte des messages précédents -

On May 7, 3:58 pm, geomet...@fastmail.fm wrote:

> > as mark says try adding AllowOverride All to the list rules.
> > also you must create your user:pass string using htpasswd or manually
> > using md5(pass) you will find the htpasswd prog in apache/bin
> > htpasswd -c filename Pingu>__type password
>
> > use an absolute path reference for the auth file,
> > C:/Apache2/myvirtualhost/archive/sub1/sub2/sub3
> > not
> > /Apache2/myvirtualhost/archive/sub1/sub2/sub3
> > exactly how can the contents be downloaded, if you are worried about
> > security then use a
> > <Directory C:/Apache2/myvirtualhost/archive/sub1/sub2/sub3>
> > auth stuff here
> > </Directory>
> > stanza in the main httpd.conf file, tuirn off .htaccess which is
> > better for a few different reasons, and dont use "basic auth" which
> > transmits the base64(user:pass) for each request.- Masquer le texte desmessages précédents -
> Thank you Mark and shimmishack.
>
> Stangely, there is no "AllowOverride Node" directive in the httpd.conf
> file. I'll however try what you said.
>
> In the book about Apache from Ben and Peter Laurie (O'Reilly), it is
> told that passwords are not encoded with Apache's for Win32. I
> observed that the htpasswd now exists for Windows. Is password
> encoding now obligatory or just advised? I wanted to test
> authentification as simply as possible...
> I'm aware that digest authentification and encoded passwords are
> highly recommended for my site's final version. But can I not first
> test authentification without encoding the passwords?
>
> I also wonder if it would not be more secure to choose AllowOverride
> AuthConfig rather than AllowOverride All.
>
> Last but not least: should I set in the .htaccess file the
> AllowOverride directive to None to prevent a user putting his
> own .htaccess files in the subfolders to which he can access? I don't
> want the user able to upload files nor to add himself +ExecCGI or
> other options into .htaccess files.
> (Told another way, if there a risk that a user having access to sub1
> can put himself a .htaccess file in sub1/sub2/sub3 that overrides
> the .htaccess file permissions in sub1 ?)
>
> I know that using the config file rather than .htaccess file has many
> advantages, but I don't plan to have hundreds of users at the
> beginning and their own folders are created dynamically. (Never
> created if a user renounce to use his account.) The .htaccess file is
> created just after the user folder.
>

FYI: some people dont like it when you reply above the post (top
posting)

dont be worried about users adding .htaccess files, unless you are
giving them permissions to create or upload files in those
directories. If you are _at all_ worried about security turn .htaccess
files OFF, and dont use basic authentication unless over SSL. Also if
you only using these direcotries for storage of files that you are
creating and allowing your users to see, why not keep them out of the
web doc root completely and use a php script to retreive them when
needed, this is more secure and solves the "non-dynamic httpd.conf"
problem
You must encode the passwords, windows has for many years used md5 by
default, I dont know why your book says otherwise, it could be right
though I guess, how old is it? The creation and addition of new users
is easy just use
htpasswd file user
instead of
htpasswd -c file user
Using AllowOverride AuthConfig is a good idea, I suggested All because
of the get it up and running, then remove persmissions/stuff until
just before it breaks.
Regarding digest authentication, at time of writing, there are
problems at the moment with response splitting in IE and FireFox, so
digest authentication is not recommended until the issues are fixed.

> FYI: some people dont like it when you reply above the post (top
> posting)
>
Thank your for your answer. I did not do top posting but replied to
your post.
The tree view from Google groups (see Options link) show my post
slightly right offsetted to yours. Strange. What happened? Mystery...

> dont be worried about users adding .htaccess files, unless you are
> giving them permissions to create or upload files in those
> directories. If you are _at all_ worried about security turn .htaccess
> files OFF, and dont use basic authentication unless over SSL. Also if
> you only using these direcotries for storage of files that you are
> creating and allowing your users to see, why not keep them out of the
> web doc root completely and use a php script to retreive them when
> needed, this is more secure and solves the "non-dynamic httpd.conf"
> problem

So, by default, users won't have rights to write or upload files?
This is OK for me. I don't need huge security. With my service, users
can create some files in DXF and a few other formats. I just want that
users see their data and cannot see the projects of others. This is
not bank data and I don't want to fall into paranoïa.
Aren't .htaccess file secure enough for my purpose?

> You must encode the passwords, windows has for many years used md5 by
> default, I dont know why your book says otherwise, it could be right
> though I guess, how old is it?
>From 2003 (Apache, la référence, 3rd Edition, Ben Laurie & Peter
Laurie, O'Reilly).

The creation and addition of new users
> is easy just use
> htpasswd file user
> instead of
> htpasswd -c file user

I'll try. Thanks.

> Using AllowOverride AuthConfig is a good idea, I suggested All because
> of the get it up and running, then remove persmissions/stuff until
> just before it breaks.
> Regarding digest authentication, at time of writing, there are
> problems at the moment with response splitting in IE and FireFox, so
> digest authentication is not recommended until the issues are fixed.-

Thanks for this info.

On May 7, 9:59 pm, geomet...@fastmail.fm wrote:
> > FYI: some people dont like it when you reply above the post (top
> > posting)
>
> Thank your for your answer. I did not do top posting but replied to
> your post.
> The tree view from Google groups (see Options link) show my post
> slightly right offsetted to yours. Strange. What happened? Mystery...
>
> > dont be worried about users adding .htaccess files, unless you are
> > giving them permissions to create or upload files in those
> > directories. If you are _at all_ worried about security turn .htaccess
> > files OFF, and dont use basic authentication unless over SSL. Also if
> > you only using these direcotries for storage of files that you are
> > creating and allowing your users to see, why not keep them out of the
> > web doc root completely and use a php script to retreive them when
> > needed, this is more secure and solves the "non-dynamic httpd.conf"
> > problem
>
> So, by default, users won't have rights to write or upload files?
> This is OK for me. I don't need huge security. With my service, users
> can create some files in DXF and a few other formats. I just want that
> users see their data and cannot see the projects of others. This is
> not bank data and I don't want to fall into paranoïa.
> Aren't .htaccess file secure enough for my purpose?
>
> > You must encode the passwords, windows has for many years used md5 by
> > default, I dont know why your book says otherwise, it could be right
> > though I guess, how old is it?
> >From 2003 (Apache, la référence, 3rd Edition, Ben Laurie & Peter
>
> Laurie, O'Reilly).
>
> The creation and addition of new users
>
> > is easy just use
> > htpasswd file user
> > instead of
> > htpasswd -c file user
>
> I'll try. Thanks.
>
> > Using AllowOverride AuthConfig is a good idea, I suggested All because
> > of the get it up and running, then remove persmissions/stuff until
> > just before it breaks.
> > Regarding digest authentication, at time of writing, there are
> > problems at the moment with response splitting in IE and FireFox, so
> > digest authentication is not recommended until the issues are fixed.-
>
> Thanks for this info.

sorry to accuse you of TP, google groups still has a few bugs and
annoyances I know! (they still havent fixed the html entities in the
page titles!!)

..htaccess is secure, but because it relies on parsing each folder for
the .htaccess file each time any request is made, it results in disk
load, which does slow the server, but more than this the start of the
file .ht is designated as "non downloadable" by the httpd.conf file,
so if that is changed or removed by mistake, anyone can see the files,
and their config lines, and can also download .htpasswd files within
the web tree.
If you allow any scripting php to go on inside the directories that
contain files that might have come from users, then you should takes
steps to ForceType those files so that they cannot be parsed by the
php interpreter. Even if the filetype is not .php the php interpreter
has a quick look and can execute code embedded inside the file. Using
this method one can hide php script inside the headers of jpegs, and
when the jpeg is loaded it executes php code. So be aware of this. XP
is a nuisance.
I also use these lines in the Directory /path/to.doc.root>
<LimitExcept GET POST>
Order allow,deny
Deny From All
</LimitExcept>
</Directory>
to prevent all VERBS except GET and POST.
This just ensures that CONNECT PUT etc... are denied by configuration.
If yuo don't need verbs like OPTIONS and PROPFIND then dont allow
them.


Mod security is very nice, and will be a very great edition for any
apache server, grab mod_security2 from http://www.apachelounge.com/
which is great site for dlls, and modules for apache running on
windows.

(...)
> .htaccess is secure, but because it relies on parsing each folder for
> the .htaccess file each time any request is made, it results in disk
> load, which does slow the server, but more than this the start of the
> file .ht is designated as "non downloadable" by the httpd.conf file,
> so if that is changed or removed by mistake, anyone can see the files,
> and their config lines, and can also download .htpasswd files within
> the web tree.

I started the my httpd.conf file from scratch. I consided it good
practice to understand what I do and not think "OK, we'll see that
later...".
I'll add the line to prevent the dowload of .ht* files.

> If you allow any scripting php to go on inside the directories that
> contain files that might have come from users, then you should takes
> steps to ForceType those files so that they cannot be parsed by the
> php interpreter.

In my case PHP is not installed and I don't allow users to store
files.
They can just post a text file using a form and the mime type is
checked.
Interesting info however. Might be useful to me one day. Thanks.

> Even if the filetype is not .php the php interpreter
> has a quick look and can execute code embedded inside the file. Using
> this method one can hide php script inside the headers of jpegs, and
> when the jpeg is loaded it executes php code. So be aware of this. XP
> is a nuisance.
What I good idea I had to renounce to PHP and user a uncommon
solution!

> I also use these lines in the Directory /path/to.doc.root>
> <LimitExcept GET POST>
> Order allow,deny
> Deny From All
> </LimitExcept>
> </Directory>
> to prevent all VERBS except GET and POST.
> This just ensures that CONNECT PUT etc... are denied by configuration.
> If yuo don't need verbs like OPTIONS and PROPFIND then dont allow
> them.

Excellent idea.

> Mod security is very nice, and will be a very great edition for any
> apache server, grab mod_security2 fromhttp://www.apachelounge.com/
> which is great site for dlls, and modules for apache running on
> windows.-

I'll have a look at it.

On May 7, 11:10 pm, geomet...@fastmail.fm wrote:
> (...)
>
> > .htaccess is secure, but because it relies on parsing each folder for
> > the .htaccess file each time any request is made, it results in disk
> > load, which does slow the server, but more than this the start of the
> > file .ht is designated as "non downloadable" by the httpd.conf file,
> > so if that is changed or removed by mistake, anyone can see the files,
> > and their config lines, and can also download .htpasswd files within
> > the web tree.
>
> I started the my httpd.conf file from scratch. I consided it good
> practice to understand what I do and not think "OK, we'll see that
> later...".
> I'll add the line to prevent the dowload of .ht* files.
>
> > If you allow any scripting php to go on inside the directories that
> > contain files that might have come from users, then you should takes
> > steps to ForceType those files so that they cannot be parsed by the
> > php interpreter.
>
> In my case PHP is not installed and I don't allow users to store
> files.
> They can just post a text file using a form and the mime type is
> checked.
> Interesting info however. Might be useful to me one day. Thanks.
>
> > Even if the filetype is not .php the php interpreter
> > has a quick look and can execute code embedded inside the file. Using
> > this method one can hide php script inside the headers of jpegs, and
> > when the jpeg is loaded it executes php code. So be aware of this. XP
> > is a nuisance.
>
> What I good idea I had to renounce to PHP and user a uncommon
> solution!
>
> > I also use these lines in the Directory /path/to.doc.root>
> > <LimitExcept GET POST>
> > Order allow,deny
> > Deny From All
> > </LimitExcept>
> > </Directory>
> > to prevent all VERBS except GET and POST.
> > This just ensures that CONNECT PUT etc... are denied by configuration.
> > If yuo don't need verbs like OPTIONS and PROPFIND then dont allow
> > them.
>
> Excellent idea.
>
> > Mod security is very nice, and will be a very great edition for any
> > apache server, grab mod_security2 fromhttp://www.apachelounge.com/
> > which is great site for dlls, and modules for apache running on
> > windows.-
>
> I'll have a look at it.

Sorry I forgot to say that the AuthUserFile string is not transmitted
on the network, however the user and pass are, every single request
for a file that is inside a protected directory. So keep images/css/js
non-protected for minimum surface area of attack.
the actual header sent is this:
Authorized Basic base64encoded('user:pass')
so you can see any Man In The Middle can catch that string, and
based_decode it to reveal the actual password.

If you allow txt files to be uploaded via a form, try not to store the
txt files on the server where the user can get to them, since a
malicios user can store html within that text file, and OE7 will parse
the txt file, trying to determine its content-type (doesnt matter what
content-type you send to IE7 - it is ignored) once the html is
detected, the file will be displayed as html and so this allows cross
site scripting to occur on the domain that the txt file exists. This
is turn would allow users to provide links to other users, which show
the page as if it is a legitimate login form, asking for the other
users user/pass, once given it could redirect to the page (if using
firefox) authenticating them and showing their files. All this could
be a vector for one user to see the other users files.

Since you have started you httpd.conf file from scratch I would
recommend setting the default content-type to be text/plain
DefaultType text/plain
as previously said this does not stop IE76+ from displaying text as
html, but it should be present.

You might like to know that mod_security would be an easy way to
prevent the sending of html, you would set it up to parse for script
tags, as well as common html elements for all response bodies for that
vhost. It really is a great piece of work. Seriously, check this url
out: http://www.gotroot.com/mod_security+rules - prevents spam and
rootkits etc... nice and easy huh!? (see blacklist.conf and
blacklist2.conf)

and heres how I would limit the downloading of htaccess files
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
</FilesMatch>

Using the logio is quite cool too, it allows you to see the actual
bytes received and served, which allows you to guage what response
body was sent to the user agent, and spot oddities that might occur.
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-
Agent}i\" %I %O" combinedio
</IfModule>

I guess you also have:
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

and have you thought about setting the ServerAdmin to be a web form,
rather than an email address (apache 2.2.x lets you do this)
ServerAdmin /contact/

Finally when you set up SSL, visit http://www.cacert.org/ to grab
multiple certs for free.
http://wiki.cacert.org/wiki/VhostTaskForce
http://wiki.cacert.org/wiki/VhostsApache
tells you how to set it up so you can use name based vhosting and have
a cert for each servername on the same IP