httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <>
Subject apache proxy cache (fwd)
Date Thu, 03 Oct 1996 18:16:49 GMT

not acked

----- Forwarded message from Kyle McCrindle -----

Message-ID: <>
Date: Thu, 03 Oct 1996 13:47:53 -0700
From: Kyle McCrindle <>
Organization: GN Nettest (Canada), Inc.
X-Mailer: Mozilla 3.0Gold (Win16; I)
MIME-Version: 1.0
Subject: apache proxy cache
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

I have noticed a security misgiving in apache's proxy cache of ftp

The directory, /usr/local/lib/httpd.proxy/cache/ftp, is naturally a
top-level list of all cached sites.  A problem arises if an ftp URL is
used to access a password protected site (ie. through a browser).  A url
of good form would be:

Firstly, this represents personal space (home directory on unix) and
should not be cached (is it?).  Secondly, a cache directory is created
and called:

Clearly, the password is visible as part of the directory name.

I am not familiar with apache httpd or the dynamics of other httpd
servers, but is this intended, appropriate, documented, configurable?

		-- Kyle McCrindle

Kyle McCrindle                       internet:
GN Nettest (Navtel Division)         voice: 905-479-8090
R&D Software Engineer                fax: 905-475-6524

----- End of forwarded message from Kyle McCrindle -----

Rob Hartill (  ... why wait for a clear night to see the stars?.

View raw message