Re: [PHP] php/.htaccess/.htpasswd
You could use fopen() to connect to the file via ftp therefore keeping the .htaccess file owned by the user for increased security. Josh Boughner On Fri, 3 May 2002, Mike Eheler wrote: > It's possible, but is it really recommended? Wouldn't the > .htaccess/.htpasswd file have to be owned by the apache user, which > might leave it open to being overwritten by any kind of a > weak/exploitable script? > > Mike > > Josh & Valerie McCormack wrote: > > I've used the script phtaccess, which I think used the mentioned class. > > Super easy to use. > > > > Josh > > > >> On Wed, 1 May 2002, Kelly Meeks wrote: > >> > Is is possible to use php to admin a password file used by a > .htaccess file? > >>> > >>> > >> > >> You should check the File_Passwd class from PEAR. > >> > >> http://chora.php.net/cvs.php/php4/pear/File > >> > >> -- > >> Mika Tuupola http://www.appelsiini.net/~tuupola/ > >> > > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php/.htaccess/.htpasswd
Im not exactly sure why that is worse, could you elaborate a little? Josh On Fri, 3 May 2002, Miguel Cruz wrote: > Thus leaving the FTP account's password in view of the httpd, which is > even worse... > > miguel > > On Fri, 3 May 2002, serj wrote: > > You could use fopen() to connect to the file via ftp therefore keeping > > the .htaccess file owned by the user for increased security. > > > > Josh Boughner > > > > On Fri, 3 May 2002, Mike Eheler wrote: > > > > > It's possible, but is it really recommended? Wouldn't the > > > .htaccess/.htpasswd file have to be owned by the apache user, which > > > might leave it open to being overwritten by any kind of a > > > weak/exploitable script? > > > > > > Mike > > > > > > Josh & Valerie McCormack wrote: > > > > I've used the script phtaccess, which I think used the mentioned class. > > > > Super easy to use. > > > > > > > > Josh > > > > > > > >> On Wed, 1 May 2002, Kelly Meeks wrote: > > > >> > > > >>>> Is is possible to use php to admin a password file used by a > > > >>>> .htaccess file? > > > >>> > > > >>> > > > >> > > > >> You should check the File_Passwd class from PEAR. > > > >> > > > >> http://chora.php.net/cvs.php/php4/pear/File > > > >> > > > >> -- > > > >> Mika Tuupola http://www.appelsiini.net/~tuupola/ > > > >> > > > > > > > > > > > > > > > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php/.htaccess/.htpasswd
Being that the files are owned by their respective users, I would imagine that would make it pretty difficult for the .htaccess file to be overwritten, if someone found a way to overwrite the file couldn't that person overwrite any file owned by the ftp user anyway? also I don't see how someone being able to overwrite the .htaccess file would allow them to grab the ftp password, especially if this is all transmitted over ssl. I apologize, I'm not trying to start a flame war that I'm sure I'll lose. But, I am working on a script that does exactly this and if I'm doing it wrong perhaps I should begin recoding it. josh On Fri, 3 May 2002, Mike Eheler wrote: > If someone can overwrite your .htaccess there's a chance they can also > view files through the same exploit (possibly). They could then get your > FTP login info, and do a lot more damage than just removing password > access to an area. > > Mike > > Serj wrote: > > Im not exactly sure why that is worse, could you elaborate a little? > > Josh > > > > On Fri, 3 May 2002, Miguel Cruz wrote: > > > > > >>Thus leaving the FTP account's password in view of the httpd, which is > >>even worse... > >> > >>miguel > >> > >>On Fri, 3 May 2002, serj wrote: > >> > >>>You could use fopen() to connect to the file via ftp therefore keeping > >>>the .htaccess file owned by the user for increased security. > >>> > >>>Josh Boughner > >>> > >>>On Fri, 3 May 2002, Mike Eheler wrote: > >>> > >>> > >>>>It's possible, but is it really recommended? Wouldn't the > >>>>.htaccess/.htpasswd file have to be owned by the apache user, which > >>>>might leave it open to being overwritten by any kind of a > >>>>weak/exploitable script? > >>>> > >>>>Mike > >>>> > >>>>Josh & Valerie McCormack wrote: > >>>> > >>>>>I've used the script phtaccess, which I think used the mentioned class. > >>>>>Super easy to use. > >>>>> > >>>>>Josh > >>>>> > >>>>> > >>>>>>On Wed, 1 May 2002, Kelly Meeks wrote: > >>>>>> > >>>>>> > >>>>>>>>Is is possible to use php to admin a password file used by a > >>>>>>>>.htaccess file? > >>>>>>>> > >>>>>>> > >>>>>>You should check the File_Passwd class from PEAR. > >>>>>> > >>>>>>http://chora.php.net/cvs.php/php4/pear/File > >>>>>> > >>>>>>-- > >>>>>>Mika Tuupola http://www.appelsiini.net/~tuupola/ > >>>>>> > >>>>>> > >>>>> > >>>> > >>>> > >>>>-- > >>>>PHP General Mailing List (http://www.php.net/) > >>>>To unsubscribe, visit: http://www.php.net/unsub.php > >>>> > >>>> > >>>> > >>> > >>> > >> > >>-- > >>PHP General Mailing List (http://www.php.net/) > >>To unsubscribe, visit: http://www.php.net/unsub.php > >> > >> > >> > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: php/.htaccess/.htpasswd
The way I designed the script was so that each time they want to save changes to their htaccess file through the script they have to enter their password. So I never have to actually save the password anywhere in the script. On Fri, 3 May 2002, Mike Eheler wrote: > The problem is not in them being able to overwrite the .htaccess *and* > getting your FTP password.. those are the cons for both solutions we > have presented, respectfully. > > Right now the ideal solution seems to be this: > > save new .htaccess to a temp file > save new .htpasswd to a temp file > use PHP's FTP routines to connect to the FTP server with your > username/password > delete existing .htaccess > delete existing .htpasswd > upload new .htaccess > upload new .htpasswd > close connection > > The biggest problem with this is that you have your FTP password in > plain text in the script that performs this. If anyone for any reason is > able to take advantage of some kind of exploit that allows them to view > the source of that file, you're toast. They get ahold of your FTP > password and have free reign on your website. > > I'm open to suggestions. > > serj wrote: > > Being that the files are owned by their respective users, I would imagine > > that would make it pretty difficult for the .htaccess file to be > > overwritten, if someone found a way to overwrite the file couldn't that > > person overwrite any file owned by the ftp user anyway? also I don't see > > how someone being able to overwrite the .htaccess file would allow them to > > grab the ftp password, especially if this is all transmitted over ssl. I > > apologize, I'm not trying to start a flame war that I'm sure I'll > > lose. But, I am working on a script that does exactly this and if I'm > > doing it wrong perhaps I should begin recoding it. > > > > josh > > > > On Fri, 3 May 2002, Mike Eheler wrote: > > > > > >>If someone can overwrite your .htaccess there's a chance they can also > >>view files through the same exploit (possibly). They could then get your > >>FTP login info, and do a lot more damage than just removing password > >>access to an area. > >> > >>Mike > >> > >>Serj wrote: > >> > >>>Im not exactly sure why that is worse, could you elaborate a little? > >>>Josh > >>> > >>>On Fri, 3 May 2002, Miguel Cruz wrote: > >>> > >>> > >>> > >>>>Thus leaving the FTP account's password in view of the httpd, which is > >>>>even worse... > >>>> > >>>>miguel > >>>> > >>>>On Fri, 3 May 2002, serj wrote: > >>>> > >>>> > >>>>>You could use fopen() to connect to the file via ftp therefore keeping > >>>>>the .htaccess file owned by the user for increased security. > >>>>> > >>>>>Josh Boughner > >>>>> > >>>>>On Fri, 3 May 2002, Mike Eheler wrote: > >>>>> > >>>>> > >>>>> > >>>>>>It's possible, but is it really recommended? Wouldn't the > >>>>>>.htaccess/.htpasswd file have to be owned by the apache user, which > >>>>>>might leave it open to being overwritten by any kind of a > >>>>>>weak/exploitable script? > >>>>>> > >>>>>>Mike > >>>>>> > >>>>>>Josh & Valerie McCormack wrote: > >>>>>> > >>>>>> > >>>>>>>I've used the script phtaccess, which I think used the mentioned class. > >>>>>>>Super easy to use. > >>>>>>> > >>>>>>>Josh > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>>On Wed, 1 May 2002, Kelly Meeks wrote: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>Is is possible to use php to admin a password file used by a > >>>>>>>>>>.htaccess file? > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>> You should check the File_Passwd class from PEAR. > >>>>>>>> > >>>>>>>> http://chora.php.net/cvs.php/php4/pear/File > >>>>>>>> > >>>>>>>>-- > >>>>>>>>Mika Tuupola http://www.appelsiini.net/~tuupola/ > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>> > >>>>>>-- > >>>>>>PHP General Mailing List (http://www.php.net/) > >>>>>>To unsubscribe, visit: http://www.php.net/unsub.php > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>>-- > >>>>PHP General Mailing List (http://www.php.net/) > >>>>To unsubscribe, visit: http://www.php.net/unsub.php > >>>> > >>>> > >>>> > >>>> > >> > >> > >>-- > >>PHP General Mailing List (http://www.php.net/) > >>To unsubscribe, visit: http://www.php.net/unsub.php > >> > >> > >> > > > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
