Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: APACHE Using Chrome SECURITY BREACH ?????? |
|
| Author |
|
dreuzel
Joined: 30 Jan 2006
Posts: 16
|
 Posted: Sat 20 Mar '10 15:03 Post subject: APACHE Using Chrome SECURITY BREACH ?????? |
 |
|
Apache security problem
-------------------------
Apache 2.2.15
I hope I handle followin stuff badly, otherwize there is a big security hole in apache
First time after reopen, of a browser (Chrome) you get access to a secured area without offering the password.
| Code: | Alias / secure/ "c:/www/secure(/)"
<Directory "F:/internet/secure(/)">
#Options Indexes Includes FollowSymLinks
#AuthType digest
AuthType basic
AuthName "db odbc "
AuthBasicProvider dbd
AuthDBDUserPWQuery "SELCT Password FROM Authenticate WHERE (user_name=%s)"
Allow from all
Require valid-user
</Directory> |
A) start stop apache (but is not important)
B) open a fresh chrome [!first time access and you are in !!!!!]
specify http://site/secure an in you go Noone even asks about security
ReRead the page : a login screen shows UP .... all security realised
Do the same thing with the explorer: >>> Password is asked Normaly from the first page
And with
| Code: | Alias / secure/ "c:/www/secure(/)"
<Directory "F:/internet/secure(/)">
#Options Indexes Includes FollowSymLinks
#AuthType digest
AuthType basic
AuthName "db odbc "
AuthBasicProvider dbd
AuthDBDUserPWQuery "SELCT Password FROM Authenticate WHERE (user_name=%s)"
Require valid-user
</Directory> |
A) start stop apache (but is not important)
B) open a fresh chrome [!first time access and you are in !!!!!]
Do the same thing with Explorer HTTP 405 Forbidden
Am I right ????? This cannot be !!!!!!????
The client allows access to Secured PAGES ????!!!!!!!
Pages that are blocked by MS EXPLORER !!!!!!!!!!!
THe security is APACHE's responsability NOT the client !!!! |
|
| Back to top |
|
tdonovan
Moderator
Joined: 17 Dec 2005
Posts: 614
Location: Milford, MA, USA
|
| Posted: Sun 21 Mar '10 20:44 Post subject: |
|
|
Did you clear your browser cache in Chrome before trying?
Once Chrome reads the file successfully into its cache, it doesn't check again with Apache to see if it can re-display the same file from its cache.
-tom- |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Mon 22 Mar '10 7:22 Post subject: |
|
|
My thought was that maybe it is storing session data, like Firefox will if you ask it too or it crashes.
Tom's insight explains why Chrome is so fast and if in fact the case, then in this instance it is out a Apache's hands and a big boo-boo on Chrome's side. |
|
| Back to top |
|
tdonovan
Moderator
Joined: 17 Dec 2005
Posts: 614
Location: Milford, MA, USA
|
| Posted: Mon 22 Mar '10 12:14 Post subject: |
|
|
re: "a big boo-boo on Chrome's side"
It's confusing to someone changing the protections on a new webserver, but I think reasoning behind Chrome's behavior actually makes some sense.
Once the browser has displayed a web page and stored it in the browser's cache - checking again later with the webserver to see if the page has subsequently become protected isn't really helpful.
Since the page has already been retrieved and displayed at least once, asking for a username & password at this point wouldn't protect anything.
Just mt 2-cents-worth of opinion...
-tom- |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Mon 22 Mar '10 21:33 Post subject: |
|
|
Hi Tom,
Valid 2 cents.
I thought they had to log in once to begin with since dreuzel had said "reopen" and "ReRead." That would put it under 'protected' to begin with, or at least it is how I saw it.
In that case, a protected page should stay protected IMO, basically for the same reason passwords can be required after coming out of screen saver, in case you walk away from computer and someone else sits down at it, they cannot then walk back in.
Anyhow, am just explaining the thinking behind my boo-boo comment. |
|
| Back to top |
|
|
|
|
|
|
