.htaccess password protection broken

Question

I set up a website some time ago that contained a public area and a private area. The private area was secured with .htaccess password protection over the relevant directory containing sensitive information.

Everything was thoroughly tested and was working perfectly, until some time in the recent past when it was drawn to my attention that the data was freely available to the whole world without any userid and password. The data was not the launch codes for nuclear missiles, but it was still confidential data that I wanted restricted to authorised users.

I contacted the web hosting company and have been given two supposed reasons as to why the password protection is not working. I find it hard to accept their reasons, given that it used to work perfectly.

They first claimed that my .htaccess file was invalid. They therefore created a new one, but it likewise did not prevent access. My original .htaccess file is below.

They next claimed that it was because my index.html file contained javascript. It called two javascript files. The first one (below) simply did a document.write of the call to the CSS file. The second one (below) did document.writes of a search form and the dropdown menu. Every html file including index.html called those two scripts.

They proved that their first diagnosis was wrong when their amended version of .htaccess did not help. (It was just the last 4 lines of my code). So the question is can .htaccess password protection be broken simply by including some trivial javascript that writes a menu to the screen, and if so where on the web is that documented?

It is conceivable that the javascript could affect the security of items in the dropdown menu but it is totally illogical to suggest that index.html itself, which lives in the protected directory, should suddenly become accessible without a password merely because it contains javascript that writes out a menu.

Here is my original .htaccess file:

Options -Indexes
AddHandler x-httpd-php .html .htm 

<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>

<Files index.html>
AuthUserFile "/home/xxxxxxxx/.htpasswds/public_html/private/passwd"
AuthName "private"
</Files>

This is the start of my index.html:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html>
    <head>
      <meta content="text/html; charset=ISO-8859-1" http-equiv="content-type">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <title>xxxxxxxx Private Area</title>
      <script type="text/javascript" src="header1.js"></script>   
    </head>

    <body onload="document.searchbox.query.focus()">
       <div class="page">
       <script type="text/javascript" src="header2.js"></script>

This is header1.js:

document.write('<link href="../menus.css" rel="stylesheet" type="text/css" />');
document.write('<!--[if lt IE 7]>');
document.write('<style type="text/css" media="screen">');
document.write('body{behavior:url(csshover.htc);}');
document.write('</style>');
document.write('<![endif]-->');

This is the start of header2.js (some lines obscured to protect the innocent):

document.write('        <form action="sphider29/search.php" method="get" name="searchbox" target="_blank">');
document.write('            <table align="right">');
document.write('                <tr>');
document.write('                    <td align="center">');
document.write('                    <input type="text" name="query" id="query" size="25" value="" />');
document.write('                    </td>');
document.write('                    <td align="center">');
document.write('                    <input type="hidden" name="search" value="1" />');
document.write('                    <input type="submit" class="sbmt" value="Site Search" />');
document.write('                </tr>');
document.write('            </table>');
document.write('            <div align="center">');
document.write('                <input type="hidden" name="media_only" value="0" />');
document.write('                <input type="hidden" name="db" value="0" />');
document.write('                <input type="hidden" name="prefix" value="0" /> <br />');
document.write('            </div>');
document.write('        </form>');

document.write('<div style="position: absolute; left: 10px; top: 70px; width: 960px; height: 40px;">');

document.write('<ul class="menuH decor1">');
document.write('  <li style="margin-left:70px;"><a href="../">Home</a>');
document.write('  <li> <a class="parent">xxxxx</a>');
document.write('    <ul>');  
document.write('        <li><a class="parent">xxxxxxxxx</a>');
document.write('           <ul>');
document.write('               <li><a href="xxxxxxxxxxxx.pdf" target="_blank">yyyy</a></li>');
document.write('               <li><a href="xxxxxxxxxxxxx.pdf" target="_blank">yyyy</a></li>');
document.write('               <li><a href="xxxxxxxxxx.pdf" target="_blank">yyyy</a></li>');
document.write('               <li><a href="xxxxxxxxxxx.pdf" target="_blank">yyyy</a></li>');
document.write('               <li><a href="xxxxxxxxxxxx.pdf" target="_blank">yyyy</a></li>');

If the problem is the Javascript then if I get rid of it and do it all in PHP with a PHP include of the menu code will that solve the problem?

Answer 1

According to the hosting company my code was fine. It was some other file somewhere that they did not fully explain that was causing the problem.