- Joined
- Apr 8, 2008
- Messages
- 2,465
- Reaction score
- 11,169
IMPORTANT SECURITY FIX FROGMU WEBPACKAGE
I recently discovered that a default Appserv installation DOES NOT protect your config.htpasswd file. This means that any smart hacker can get your username and password! I tested it myself and easily got the SQL server login username and password for someone's private server!
HOW TO FIX
quite easy, luckily. Open your Appserv configuration files. You can do this by either going to your start menu -> Programs -> Appserv -> Apache Configure Server -> Edit the httpd.conf Configuration file. Another way of opening it is going to your webserver folder (probably in c:\program files\appserv\), apache -> conf -> httpd.conf
You can open this file using a text-editor as notepad
Now, find the line that says
Below these lines you will find something like '<files ~"^/.ht"> stuff here </files>
REPLACE THAT WITH
Applies To:
FrogMu Webpackage 2.0 beta
Credits: FragFrog
I recently discovered that a default Appserv installation DOES NOT protect your config.htpasswd file. This means that any smart hacker can get your username and password! I tested it myself and easily got the SQL server login username and password for someone's private server!
HOW TO FIX
quite easy, luckily. Open your Appserv configuration files. You can do this by either going to your start menu -> Programs -> Appserv -> Apache Configure Server -> Edit the httpd.conf Configuration file. Another way of opening it is going to your webserver folder (probably in c:\program files\appserv\), apache -> conf -> httpd.conf
You can open this file using a text-editor as notepad
Now, find the line that says
This should be around line 407.# Also, folks tend to use nameas such as .htpasswd for their password
# files, so this will protect those as well.
#
Below these lines you will find something like '<files ~"^/.ht"> stuff here </files>
REPLACE THAT WITH
Now, save the file and restart apache (using the Apache service monitor, or trough your start menu -> programs -> appserv -> Apache Control Server -> Restart)<Files *.ht*>
Deny From All
</Files>
Applies To:
FrogMu Webpackage 2.0 beta
Credits: FragFrog