Re: Password security

[CGR Online <cgronline@jaxcan.org>]

To add to that. I pulled up http://myURL/myDATAdir/file.db and could see
all passwords from a browser. ouch. I see what they mean about the
password security.  So is .htaccess the answer and if so, How do I do it?
I know how to creat files just don't konw what to put in the .htaccess
file.
---
Sir Anvil
www.christiangamers.org
On Mon, 9 Oct 2000, CGR Online wrote:
> 
> I had a situation just yesterday where someone got into one of the
> accounts on my webring and changed it to a porn site. The rest of the ring
> was just fine but this one site's info was changed. the site itself was
> fine.  I'm thinking this may be related. I do have ability to put an
> .htaccess file into my directory.  How would this effect the ring itself?
> Would everything work fine unless they tried to view these files or what?
> 
> 
> ---
> Sir Anvil
> www.christiangamers.org
> 
> On Mon, 9 Oct 2000, Gunnar Hjalmarsson wrote:
> 
> > 
> > A couple of Ringlink users have called my attention to a security issue
> > that affects some Ringlink set-ups.
> > 
> > The passwords which give access to the different admin menus are stored
> > in the following files:
> > 
> >     admin password  - in the rlconfig.pm file
> >     ring passwords  - in respective ring.db file
> >     site passwords  - in respective sites.db file
> > 
> > rlconfig.pm is stored in the 'lib' directory, and ring.db and sites.db
> > are stored in different subdirectories under the 'data' directory.
> > 
> > In my own Ringlink installation, the paths to the 'lib' and 'data'
> > directories are as follows:
> > 
> >     /www/htdocs/gunnar/cgi-bin/ringlink/lib
> >     /www/htdocs/gunnar/cgi-bin/ringlink/data
> > 
> > Both 'lib' and 'data' are located under the 'cgi-bin' directory. Because
> > of the way my server is set up, no files in or under the 'cgi-bin'
> > directory can be read from the web, which means that the password info
> > is protected.
> > 
> > However, it doesn't work this way on all servers. This means that in
> > some cases, the files mentioned above, which include password info, are
> > readable from the web.
> > 
> > There are two reasons for this posting:
> > 
> > 1) To call every Ringlink user's attention to this security issue
> > 
> > 2) To ask for suggestions for appropriate steps to protect the
> >    password info
> > 
> > These are two possible ways to prevent the files in question from being
> > readable from the web:
> > 
> > - If you are on an Apache web server, you can put files named
> >   .htaccess in the 'lib' and 'data' directories. The .htaccess files
> >   are simple text files which in this case should have the following
> >   contents:
> > 
> >     order allow,deny
> >     deny from all 
> > 
> > - If you have access to directories outside the web document root,
> >   you could locate the 'lib' and 'data' directories there.
> > 
> > But there are probably servers (webhosting accounts) where none of these
> > solutions are possible to apply. That's why I ask you to post
> > suggestions for other possible methods.
> > 
> > / Gunnar