Support

ts77 · #1 04-17-2006, 02:02 PM

Hi there,

I just found by accident that if I try to access some nonexistent file in a secured directory I get a 404 error message. if I try to access an existing file I get the authentication box.
That makes it possible for an attacker to find out which files exist in a directory even before going through authentication.
Therefore I think it would be much better to check authentication before trying to retrieve a file.

mistwang · #2 04-19-2006, 10:33 PM

That's because of the "Files" directive support. Will try to address this in next release. :-)

mistwang · #3 05-15-2006, 05:02 PM

Forgot to fix this in 2.1.15, should be fixed in 2.1.16 release.