Apache Password: Any instance where subfolders not protected?

Forum Moderators: phranque

Message Too Old, No Replies

Apache Password: Any instance where subfolders not protected?

JAB Creations

10:13 am on Sep 4, 2008 (gmt 0)

I have a simple though important question: are the any versions of Apache or any way that a parent directory that is password protected would be able to have any of it's child directories viewed?

/uploads/ - Parent directory is password protected.
/uploads/0001/ - Child directory dependent on parent.

I just tested this out both locally and on my live server and I the child directory was password protected. I'm just trying to cover all my bases. :)

- John

jdMorgan

2:05 pm on Sep 4, 2008 (gmt 0)

If protected by the parent, you would have to add code in the parent or child directory or in the server configuration files to explicitly override that protection in order to to allow the child subdirectories to be accessed.

So could the child directories inexplicably be made accessible? No. Could you allow access, intentionally or accidentally? Yes.

As always, write code, inspect/validate it, and then test it thoroughly before deploying on a publicly-accessible server. Then watch your server access and error log files for several days, looking for any signs of trouble.

Jim

JAB Creations

2:35 pm on Sep 4, 2008 (gmt 0)

Thanks Jim! I figure to flag potential abuse I could simply have PHP note my IP through my database/authentication, and in a generic index.php that simply includes a script to execute in any child directory to send me an email notification if an IP other than mine is accessing files dependent on the HTTP code.

- John