Plugin bypass apache basic authentication | ww.wp.xz.cn

TenyHarko
(@tenyharko)

6 years, 7 months ago
Hi,

It seems that this plugin bypass the apache basic authentication when “banned users” is active.
Because ITSecurity modify the htaccess file and add some lines like :
```
<IfModule mod_authz_core.c>
  <RequireAll>
    Require all granted
    Require not env DenyAccess
    Require not ip xxx.xxx.xxx.xxx
    Require not ip xxx.xxx.xxx.yyy
  </RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
  Order allow,deny
  Allow from all
  Deny from env=DenyAccess
  Deny from xxx.xxx.xxx.xxx
  Deny from xxx.xxx.xxx.yyy
</IfModule>
```
And those lines will bypass directives set before in apache server conf file for example :
```
<Directory "/var/www/htdocs">
  AuthType Basic
  AuthName "RESTRICTED"
  AuthUserFile "passw_file"
  require valid-user
</Directory>
```
So all users (except banned) will have access to website although it has been protected.
Not sure I make myself understand (my english is not as fluent as I want) but I think it’s important to note this issue, since it would set your website to “public” even if you think it isn’t

Ten

The topic ‘Plugin bypass apache basic authentication’ is closed to new replies.

Tags

0 replies
1 participant
Last reply from: TenyHarko
Last activity: 6 years, 7 months ago
Status: not resolved