httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@wired.com>
Subject Re: E63 send as is --- another issue...
Date Wed, 12 Apr 1995 01:51:49 GMT

Actually, this is only a gain for the Bad Guy (tm) when he has access to read
the access logs for his pages but *not* for the other, protected pages.  This
would mean he'd have to be on a separate system altogether, unless the web
adminstrator kept the original log files unreadable and had scripts that sent
portions of the log files out to user (i.e., a script that sent all accesses
to /~brian/ to brian@host).  Actually, they don't have to be on the same
host/port, but then you're stretching the bounds of plausibility in the
initial condition, that the BadGuy creates a phony reference. 

I wouldn't worry about it.  Especially when tcpdump will give you all the 
info you need to crack an account like that anyways! :)

	Brian

On Tue, 11 Apr 1995, Robert S. Thau wrote:
> One thing the badguy could do is create a document which looks like it
> has a pointer to the password-protected document, but which acutally
> points to a .asis document which fakes up a 401 reply.  (This is
> presumably a copy of some other page which actually does point to the
> real thing, with nothing different about it except the URLs in the
> anchors, so that victims would have to be paying fairly careful
> attention to notice the difference).
> 
> The usernames the badguy gets in the log entries for the .asis
> document will tell him the names of authorized users for the
> password-protected page; with those in hand, dictionary-based
> strategies may be adequate for getting the passwords as well.
> (NB if a user supplies invalid authentication info, the access_log
> shows a 401 reply with authentication username other than '-' --- my
> home-grown logfile summary tool actually uses this to detect people
> who tried bogus usernames/passwords without having to grub through the
> error_log.  Do people actually try "Anonymous" elsewhere?)

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@hotwired.com  brian@hyperreal.com  http://www.hotwired.com/Staff/brian/


Mime
View raw message