httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject apache proxy cache (fwd)
Date Thu, 03 Oct 1996 18:16:49 GMT

not acked

----- Forwarded message from Kyle McCrindle -----

Message-ID: <32542679.13CC@nettestca.gn.com>
Date: Thu, 03 Oct 1996 13:47:53 -0700
From: Kyle McCrindle <kyle@nettestca.gn.com>
Reply-To: kyle@nettestca.gn.com
Organization: GN Nettest (Canada), Inc.
X-Mailer: Mozilla 3.0Gold (Win16; I)
MIME-Version: 1.0
To: apache-bugs@mail.apache.org
Subject: apache proxy cache
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

I have noticed a security misgiving in apache's proxy cache of ftp
servers.

The directory, /usr/local/lib/httpd.proxy/cache/ftp, is naturally a
top-level list of all cached sites.  A problem arises if an ftp URL is
used to access a password protected site (ie. through a browser).  A url
of good form would be:

	ftp://user:password@ftp.private.data.com/

Firstly, this represents personal space (home directory on unix) and
should not be cached (is it?).  Secondly, a cache directory is created
and called:
	/usr/.../cache/ftp/user:password@ftp.private.data.com

Clearly, the password is visible as part of the directory name.

I am not familiar with apache httpd or the dynamics of other httpd
servers, but is this intended, appropriate, documented, configurable?

		-- Kyle McCrindle

-- 
Kyle McCrindle                       internet: kyle@nettestca.gn.com
GN Nettest (Navtel Division)         voice: 905-479-8090
R&D Software Engineer                fax: 905-475-6524
=======================================================================


----- End of forwarded message from Kyle McCrindle -----

-- 
Rob Hartill (robh@imdb.com)    
http://www.imdb.com/  ... why wait for a clear night to see the stars?.

Mime
View raw message