.htaccess密码保护损坏
[英].htaccess password protection broken
问题描述
I set up a website some time ago that contained a public area and a private area. 
不久前,我建立了一个网站,其中包含一个公共区域和一个私人区域。 The private area was secured with .htaccess password protection over the relevant directory containing sensitive information. 在包含敏感信息的相关目录上,.htaccess密码保护了私有区域的安全。
Everything was thoroughly tested and was working perfectly, until some time in the recent past when it was drawn to my attention that the data was freely available to the whole world without any userid and password. 一切都经过了全面的测试,并且运行良好,直到最近一段时间才引起我的注意,该数据可以在没有任何用户名和密码的情况下免费提供给全世界。 The data was not the launch codes for nuclear missiles, but it was still confidential data that I wanted restricted to authorised users. 该数据不是核导弹的发射代码,但我仍然希望将其保密信息仅限于授权用户。
I contacted the web hosting company and have been given two supposed reasons as to why the password protection is not working. 我与网络托管公司联系,并获得了两个假定的密码保护为什么不起作用的原因。 I find it hard to accept their reasons, given that it used to work perfectly. 考虑到以前的工作原理,我很难接受他们的理由。
They first claimed that my .htaccess file was invalid. 他们首先声称我的.htaccess文件无效。 They therefore created a new one, but it likewise did not prevent access. 因此,他们创建了一个新的访问者,但同样也没有阻止访问。 My original .htaccess file is below. 我的原始.htaccess文件在下面。
They next claimed that it was because my index.html file contained javascript. 他们接下来声称这是因为我的index.html文件包含javascript。 It called two javascript files. 它调用了两个javascript文件。 The first one (below) simply did a document.write of the call to the CSS file. 第一个(下面)只是简单地对CSS文件的调用进行了document.write。 The second one (below) did document.writes of a search form and the dropdown menu. 第二个(下面)做了document.writes搜索表单和下拉菜单。 Every html file including index.html called those two scripts. 每个包含index.html的html文件都称为这两个脚本。
They proved that their first diagnosis was wrong when their amended version of .htaccess did not help. 他们证明了最初的诊断是错误的,因为他们的.htaccess版本没有帮助。 (It was just the last 4 lines of my code). (这只是我代码的最后4行)。 So the question is can .htaccess password protection be broken simply by including some trivial javascript that writes a menu to the screen, and if so where on the web is that documented? 因此问题是,仅通过添加一些在屏幕上写入菜单的简单javascript,就可以打破.htaccess密码保护的功能,如果是的话,该文件在网络上的位置如何?
It is conceivable that the javascript could affect the security of items in the dropdown menu but it is totally illogical to suggest that index.html itself, which lives in the protected directory, should suddenly become accessible without a password merely because it contains javascript that writes out a menu. 可以想象javascript可能会影响下拉菜单中项目的安全性,但是建议位于受保护目录中的index.html本身应该突然无须密码访问,这完全是不合逻辑的,仅仅是因为它包含可写的javascript菜单。
Here is my original .htaccess file: 这是我原始的.htaccess文件:
Options -Indexes
AddHandler x-httpd-php .html .htm
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>
<Files index.html>
AuthUserFile "/home/xxxxxxxx/.htpasswds/public_html/private/passwd"
AuthName "private"
</Files>
This is the start of my index.html: 这是我的index.html的开始:
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="content-type">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>xxxxxxxx Private Area</title>
<script type="text/javascript" src="header1.js"></script>
</head>
<body onload="document.searchbox.query.focus()">
<div class="page">
<script type="text/javascript" src="header2.js"></script>
This is header1.js: 这是header1.js:
document.write('<link href="../menus.css" rel="stylesheet" type="text/css" />');
document.write('<!--[if lt IE 7]>');
document.write('<style type="text/css" media="screen">');
document.write('body{behavior:url(csshover.htc);}');
document.write('</style>');
document.write('<![endif]-->');
This is the start of header2.js (some lines obscured to protect the innocent): 这是header2.js的开始(模糊了一些行以保护无辜者):
document.write(' <form action="sphider29/search.php" method="get" name="searchbox" target="_blank">');
document.write(' <table align="right">');
document.write(' <tr>');
document.write(' <td align="center">');
document.write(' <input type="text" name="query" id="query" size="25" value="" />');
document.write(' </td>');
document.write(' <td align="center">');
document.write(' <input type="hidden" name="search" value="1" />');
document.write(' <input type="submit" class="sbmt" value="Site Search" />');
document.write(' </tr>');
document.write(' </table>');
document.write(' <div align="center">');
document.write(' <input type="hidden" name="media_only" value="0" />');
document.write(' <input type="hidden" name="db" value="0" />');
document.write(' <input type="hidden" name="prefix" value="0" /> <br />');
document.write(' </div>');
document.write(' </form>');
document.write('<div style="position: absolute; left: 10px; top: 70px; width: 960px; height: 40px;">');
document.write('<ul class="menuH decor1">');
document.write(' <li style="margin-left:70px;"><a href="../">Home</a>');
document.write(' <li> <a class="parent">xxxxx</a>');
document.write(' <ul>');
document.write(' <li><a class="parent">xxxxxxxxx</a>');
document.write(' <ul>');
document.write(' <li><a href="xxxxxxxxxxxx.pdf" target="_blank">yyyy</a></li>');
document.write(' <li><a href="xxxxxxxxxxxxx.pdf" target="_blank">yyyy</a></li>');
document.write(' <li><a href="xxxxxxxxxx.pdf" target="_blank">yyyy</a></li>');
document.write(' <li><a href="xxxxxxxxxxx.pdf" target="_blank">yyyy</a></li>');
document.write(' <li><a href="xxxxxxxxxxxx.pdf" target="_blank">yyyy</a></li>');
If the problem is the Javascript then if I get rid of it and do it all in PHP with a PHP include of the menu code will that solve the problem? 如果问题是Javascript,那么如果我摆脱了它,并且全部在PHP中使用菜单代码包含PHP,那可以解决此问题吗?
1 个解决方案
解决方案1
0 已采纳 2014-04-11 22:02:41
According to the hosting company my code was fine. 根据托管公司的说法,我的代码很好。 It was some other file somewhere that they did not fully explain that was causing the problem. 他们没有完全解释引起问题的其他地方的其他文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.