On Wed, 04 Feb 2004 11:52:21 PST, Shinn Wu <[log in to unmask]> said: > I don't really understand the 'protection' of wa offers in UNIX. I > install wa in /usr/local/apache/cgi-bin and the archives is under > /usr/local/apache/htdocs/archives. All the archives can be accessed by > subscribers ONLY. BUT, you can easily bypass the email/password if you > know (or guess) the name of ANY archive, e.g, > > http://www.anysite.com/archives/test.log0301 > > or even better > > http://www.anysite.com/archive/test.html > > to search the whole list. It didn't offer any .htaccess. I must miss > something important, but I could not find it either in manual or LSTSRV-L. > Would someone shed a light or confirm that? Thanks. You're missing a .htaccess that denies access to archive/*