Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.4.x
Author Message
Dauthus
Worker
Worker


Joined: Oct 07, 2003
Posts: 211

PostPosted: Mon Jun 12, 2006 8:21 pm Reply with quote

I don't know if this is old news or not, but I thought I would toss it out for everyone and see.

I just duplicated a website, to another domain. The one thing I forgot to update was the paths to the .htaccess & .staccess files. Both domains are on the same server, (I have a dedicated server with Plesk) but in all actuality they are separate domains.

Since I didn't update the paths, the authentication still worked perfectly, off the .htaccess and .staccess files on the other domain. That got me to wondering.

It looks like we can basically hide the .staccess file just about anywhere on any domain on the same server and it will keep working. I don't know about anyone else, but I have several domains on the server, and can put this file on any one of them, in any directory.

I am seriously looking at putting it elsewhere, possibly the httpsdocs directory. It sure would make it hard for someone to crack when the file is in a different directory on another site.

What does everyone think?

_________________
Only registered users can see links on this board! Get registered or login!
Vivere disce, cogita mori 
View user's profile Send private message Visit poster's website
gregexp
The Mouse Is Extension Of Arm


Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Mon Jun 12, 2006 8:48 pm Reply with quote

This would work for authentication...but it would not block properly for the domain u want

ok lets say u got test1.com
and u want it to link to test.com's .htaccess

This would work for admin autorization(user would be helpless to alter it)
and it would not block the ips for test1.com

Unless u tell ur .htaccess(test1.com) to read that .htaccess(test.com) contents

in otherwords not just sentinel needs to be configured to read that .htaccess...if u do get a code telling it to read the file then ur set

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
Dauthus
PostPosted: Tue Jun 13, 2006 5:53 pm Reply with quote

Actually, I was looking at using the files for just the admin authentication portion. I can still leave the .htaccess in the root of the domain, I would just put a different .htaccess with just the authentication in another place, along with the .staccess.

That make sense?
 
gregexp
PostPosted: Tue Jun 13, 2006 6:39 pm Reply with quote

sure u could...what would be the point?
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Tue Jun 13, 2006 6:50 pm Reply with quote

If it is out of the public webspace, it would not be possible to alter it remotely, unless they hcaker has root access - thats the theory at least.
 
View user's profile Send private message Send e-mail
gregexp
PostPosted: Tue Jun 13, 2006 7:48 pm Reply with quote

thats true...but doesnt the code in the .htaccess stop that anyway?
 
Guardian2003
PostPosted: Tue Jun 13, 2006 8:18 pm Reply with quote

That depends on the server configuration and whether a would be hacker had server access.
We have seen cases of files being written to remotely but whether they would be ale to write to a file below the public root - I don't know!

From what I have seen of the 2 tools currently being used, if they can get to one site, they can pretty much get to them all on the same server.

Using HTTPAuth on the admin folders seems a sensible idea but in an ideal world we need to be intercepting their crafted strings and blocking them.
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.4.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©