I made an earlier post in this forum regarding a cracked .htaccess password. Since then, I believe I have learned how the password was cracked. I'll briefly explain how (without sufficient detail to make it a *how to* post), but I'd like to know if there's anything TCH can do to plug up this potential security hole?
Here's how it could have been done: since this student was given an FTP account on the site, he was allowed to upload files in a directory under the root folder. Apparently, the FTP account prevents him from navigating out of his assigned folder, but the files in the folder have rights to read pages located outside that directory -- in fact, even outside the public_html directory. With a little knowledge and guess work about the file structure of the site, he was able to use PHP to open and read any file on the site. Even though .htaccess files encrypt passwords and store them in a folder outside the public_html directory, he was able to view those files and later used a cracking program to discover the password.
Using *strong* passwords makes such a task far more difficult (perhaps even impossible) for anyone to learn the password in this fashion. However, the security risk remains. In a non shared environment, this wouldn't be possible (I'm told). So I'm wondering if either TCH or I can do anything to restrict file access as described above?
I was also told that, in some shared hosting environments, the same sort of vulnerability exists between web sites located on the same server. Any truth to this?
Any help and/or suggestions will be appreciated. Thanks!