HTTP POST can be issued against files in the protected directory Addresses the issue "HTTP POST can be issued against files in the protected directory"

Product:Ensim Pro for Linux
Version: 4.1.0 (Fedora Core 1, Fedora Core 2, Red Hat Enterprise Linux 3, Red Hat Enterprise Linux 4, CentOS 4.1, CentOS 4.2)
Date: 01-February-2006
Patch Description: Addresses the issue:
HTTP POST can be issued against files in the protected directory.
Overview : When Ensim control panel is used to protect a directory, the .htaccess file only protects HTTP GET. HTTP POST can still be issued against files in the protected directory.
To protect this unauthorised entry and overcome the above-mentioned issue please apply this hotfix.

Download:
For fc1: ftp.ensim.com/download/pro/linux/4.1.0/hotfix/httppostvulnerability/fc1/webppliance-apache-4.1.0-11.fc.1.i386.rpm
(md5sum: 64d5ba16fed63dfe765ee95049bd8298)

For fc2: ftp://ftp.ensim.com/download/pro/linux/4.1.0/hotfix/httppostvulnerability/fc2/webppliance-apache-4.1.0-11.fc.2.i386.rpm
(md5sum:bdd073db332d969dfa1f9a9003ec7b6f)

For RHEL3: ftp.ensim.com/download/pro/linux/4.1.0/hotfix/httppostvulnerability/rhel3/webppliance-apache-4.1.0-11.rhel.3ES.i386.rpm
(md5sum:992af7a1d28154245645247968b19b03)

For RHEL4: ftp.ensim.com/download/pro/linux/4.1.0/hotfix/httppostvulnerability/rhel4/webppliance-apache-4.1.0-11.rhel.4ES.i386.rpm
(md5sum:f8100925d8992aaf92c98ca5dcfa0b0d)

For CentOS 4.1: ftp.ensim.com/download/pro/linux/4.1.0/hotfix/httppostvulnerability/rhel4/webppliance-apache-4.1.0-11.rhel.4ES.i386.rpm
(md5sum:f8100925d8992aaf92c98ca5dcfa0b0d)

For CentOS 4.2: ftp.ensim.com/download/pro/linux/4.1.0/hotfix/httppostvulnerability/rhel4/webppliance-apache-4.1.0-11.rhel.4ES.i386.rpm
(md5sum:f8100925d8992aaf92c98ca5dcfa0b0d)

Installation Procedure:

Get the webppliance-apache RPM from the locations mentioned above.
Upgrade the RPM. Webppliance restart is not required.

Protecting New Directories:

Log in as siteadmin (Frontpage should not be enabled for your site).
Go to apache->protect directories.
Enter the info and protect the directory.
Check the .htaccess file inside that directory, it should have the proper GET and POST directives against the Limit tag

Re-apply the directory protection to existing directories:

For directories already protected with an earlier version of Ensim Pro, you will have to re-protect all the existing protected directories.
Follow steps 1 and 2 as mentioned in the previous section.
Now unprotect the directory, and again protect it.
Again, check the .htaccess file for the GET and POST tags.

Note:If you already have protected directories on server then you can execute the attached file to apply fixes to them.