On Wed, 04 Feb 2004 11:52:21 PST, Shinn Wu <[log in to unmask]> said:
> I don't really understand the 'protection' of wa offers in UNIX. I
> install wa in /usr/local/apache/cgi-bin and the archives is under
> /usr/local/apache/htdocs/archives. All the archives can be accessed by
> subscribers ONLY. BUT, you can easily bypass the email/password if you
> know (or guess) the name of ANY archive, e.g,
>
> http://www.anysite.com/archives/test.log0301
>
> or even better
>
> http://www.anysite.com/archive/test.html
>
> to search the whole list. It didn't offer any .htaccess. I must miss
> something important, but I could not find it either in manual or LSTSRV-L.
> Would someone shed a light or confirm that? Thanks.
You're missing a .htaccess that denies access to archive/*