| Author |
Message |
Dauthus
Worker
Joined: Oct 07, 2003
Posts: 211
|
 Posted:
Mon Jun 12, 2006 8:21 pm |
|
I don't know if this is old news or not, but I thought I would toss it out for everyone and see.
I just duplicated a website, to another domain. The one thing I forgot to update was the paths to the .htaccess & .staccess files. Both domains are on the same server, (I have a dedicated server with Plesk) but in all actuality they are separate domains.
Since I didn't update the paths, the authentication still worked perfectly, off the .htaccess and .staccess files on the other domain. That got me to wondering.
It looks like we can basically hide the .staccess file just about anywhere on any domain on the same server and it will keep working. I don't know about anyone else, but I have several domains on the server, and can put this file on any one of them, in any directory.
I am seriously looking at putting it elsewhere, possibly the httpsdocs directory. It sure would make it hard for someone to crack when the file is in a different directory on another site.
What does everyone think? |
_________________
Vivere disce, cogita mori |
|
 
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol
|
| Posted:
Mon Jun 12, 2006 8:48 pm |
|
This would work for authentication...but it would not block properly for the domain u want
ok lets say u got test1.com
and u want it to link to test.com's .htaccess
This would work for admin autorization(user would be helpless to alter it)
and it would not block the ips for test1.com
Unless u tell ur .htaccess(test1.com) to read that .htaccess(test.com) contents
in otherwords not just sentinel needs to be configured to read that .htaccess...if u do get a code telling it to read the file then ur set |
_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! |
|
  
  |
|
Dauthus
|
| Posted:
Tue Jun 13, 2006 5:53 pm |
|
Actually, I was looking at using the files for just the admin authentication portion. I can still leave the .htaccess in the root of the domain, I would just put a different .htaccess with just the authentication in another place, along with the .staccess.
That make sense? |
| |
|
|
|
|
gregexp
|
| Posted:
Tue Jun 13, 2006 6:39 pm |
|
sure u could...what would be the point? |
| |
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Tue Jun 13, 2006 6:50 pm |
|
If it is out of the public webspace, it would not be possible to alter it remotely, unless they hcaker has root access - thats the theory at least. |
| |
|
|
|
|
gregexp
|
| Posted:
Tue Jun 13, 2006 7:48 pm |
|
thats true...but doesnt the code in the .htaccess stop that anyway? |
| |
|
|
|
|
Guardian2003
|
| Posted:
Tue Jun 13, 2006 8:18 pm |
|
That depends on the server configuration and whether a would be hacker had server access.
We have seen cases of files being written to remotely but whether they would be ale to write to a file below the public root - I don't know!
From what I have seen of the 2 tools currently being used, if they can get to one site, they can pretty much get to them all on the same server.
Using HTTPAuth on the admin folders seems a sensible idea but in an ideal world we need to be intercepting their crafted strings and blocking them. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
