404 checked before checking authentication

Discussion in 'Bug Reports' started by ts77, Apr 17, 2006.

  1. ts77

    ts77 Well-Known Member

    Hi there,

    I just found by accident that if I try to access some nonexistent file in a secured directory I get a 404 error message. if I try to access an existing file I get the authentication box.
    That makes it possible for an attacker to find out which files exist in a directory even before going through authentication.
    Therefore I think it would be much better to check authentication before trying to retrieve a file.
  2. mistwang

    mistwang LiteSpeed Staff

    That's because of the "Files" directive support. Will try to address this in next release. :)
  3. mistwang

    mistwang LiteSpeed Staff

    Forgot to fix this in 2.1.15, should be fixed in 2.1.16 release.

Share This Page