not acked
----- Forwarded message from Kyle McCrindle -----
Message-ID: <32542679.13CC@nettestca.gn.com>
Date: Thu, 03 Oct 1996 13:47:53 -0700
From: Kyle McCrindle <kyle@nettestca.gn.com>
Reply-To: kyle@nettestca.gn.com
Organization: GN Nettest (Canada), Inc.
X-Mailer: Mozilla 3.0Gold (Win16; I)
MIME-Version: 1.0
To: apache-bugs@mail.apache.org
Subject: apache proxy cache
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
I have noticed a security misgiving in apache's proxy cache of ftp
servers.
The directory, /usr/local/lib/httpd.proxy/cache/ftp, is naturally a
top-level list of all cached sites. A problem arises if an ftp URL is
used to access a password protected site (ie. through a browser). A url
of good form would be:
ftp://user:password@ftp.private.data.com/
Firstly, this represents personal space (home directory on unix) and
should not be cached (is it?). Secondly, a cache directory is created
and called:
/usr/.../cache/ftp/user:password@ftp.private.data.com
Clearly, the password is visible as part of the directory name.
I am not familiar with apache httpd or the dynamics of other httpd
servers, but is this intended, appropriate, documented, configurable?
-- Kyle McCrindle
--
Kyle McCrindle internet: kyle@nettestca.gn.com
GN Nettest (Navtel Division) voice: 905-479-8090
R&D Software Engineer fax: 905-475-6524
=======================================================================
----- End of forwarded message from Kyle McCrindle -----
--
Rob Hartill (robh@imdb.com)
http://www.imdb.com/ ... why wait for a clear night to see the stars?.
|