Bypassing htaccess restrictions?

I found this in my apache access logs

access.log:555.555.555.555 - - [05/May/2011:12:12:21 -0400] "GET /somedir/ HTTP/1.1" 403 291 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0"
access.log:555.555.555.555 - - [05/May/2011:12:12:29 -0400] "GET /somedir/ HTTP/1.1" 200 7629 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0"

So /somedir/ has .htaccess file which looks like

Order Deny,Allow
Deny from all
Allow from 333.333.333.333
Allow from 444.444.444.444

htaccess was not modified within timeframe (8 seconds between 12:12:21 and 12:12:29

Any ideas how this is possible to hit 403 Forbidden and then 8 sec later 200 OK; I'm puzzled


Solution 1:

I believe that .htaccess is only checked at tcp session initiation, and with clever manipulation at the packet level it may still be possible to manipulate the frames so that the first frames have a fake IP only while the session is being setup, and the real session then have the real IP which you were trying to block.

This is why we have stateful firewalls -- htaccess is not a replacement for a firewall.

Either that, or your ,htaccess is not checked at all -- have you tested that it work? :-)

Solution 2:

  1. Does your top level config allows you to use .htaccess? Check your AllowOverride http://httpd.apache.org/docs/1.3/mod/core.html#allowoverride directive You should have set it to All or Limit
  2. Check if you don't have any Auth restrictions in your config(s).