[suse-security] Apache <Files>...</Files> problem

[suse@xxxxxxxxxxxx]

Hi all - happy new year to everyone!

I'm having a problem with the <Files> directive under SuSE 
9.2 pro.

I have posted on users@xxxxxxxxxxxxxxxx for help, but to no 
avail. People have checked my httpd.conf directory syntax as 
OK, and I still do not appear to be getting the correct 
functionality for the <Files>...</Files> container.

Using the following in my httpd.conf file:

<Directory /srv/www/htdocs/KAR/websites/pub/computing/apache-test>
  Options None
  Order deny,allow
  Deny from all
  <Files *.php>
    Order deny,allow
    Deny from all
  </Files>
</Directory>

(I restarted apache with /etc/init.d/apache2 stop, then start.)

If you go to that directory, you will get permission denied 
for the directory, which is not even listed in the 
/pub/computing/ directory, as expected.

If you then add the following filename, get_vars.php, you
will be able to access that file, as well as me from 
localhost.


Here is the URL:

http://www.karsites.net/KAR/websites/pub/computing/apache-test/get_vars.
php

And the log entries are:

For an unsuccessfull request using:
http://www.karsites.net/KAR/websites/pub/computing/apache-test/

127.0.0.1 - - [29/Dec/2005:20:48:26 +0000]
"GET /KAR/websites/pub/computing/apache-test/ HTTP/1.1" 403 350

For a successfull request using:
http://www.karsites.net/KAR/websites/pub/computing/apache-test/get_vars.php

127.0.0.1 - - [29/Dec/2005:20:50:14 +0000]
"GET /KAR/websites/pub/computing/apache-test/get_vars.php
HTTP/1.1" 200 1721

Any ideas as to why this is happening please?

Regards - Keith Roberts


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here