httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Murcko <ch...@telebase.com>
Subject Re: apache proxy cache (fwd)
Date Thu, 03 Oct 1996 21:51:34 GMT
Ben Laurie liltingly intones:
> 
> Rob Hartill wrote:
> > 
> > 
> > not acked
> > 
> > ----- Forwarded message from Kyle McCrindle -----
> > 
> > I have noticed a security misgiving in apache's proxy cache of ftp
> > servers.
> > 
> > The directory, /usr/local/lib/httpd.proxy/cache/ftp, is naturally a
> > top-level list of all cached sites.  A problem arises if an ftp URL is
> > used to access a password protected site (ie. through a browser).  A url
> > of good form would be:
> > 
> > 	ftp://user:password@ftp.private.data.com/
> > 
> > Firstly, this represents personal space (home directory on unix) and
> > should not be cached (is it?).
> 
> Whether it should be cached is moot. Clearly it should only be cached if it
> can be done securely. But, this applies to a wider and less clearly defined set
> of URLs.

Roger that. Initial solution thought is not to cache non-anonymous stuff,
but that could only be an interim approach. In fact that's what's supposed
to be happening now.
> 
> > Secondly, a cache directory is created
> > and called:
> > 	/usr/.../cache/ftp/user:password@ftp.private.data.com
> 
> Really? Last time I looked the proxy used the MD5 hash of the URL. Unless this
> has been changed, which I sincerely hope it hasn't, this is simply not true.
> 
Nope, it has most definitely not changed. From the new ftp code (this is
similar to the old ftp code):

...
/* find password */
        p = strchr(user, ':');
        if (p != NULL) 
        { 
            *(p++) = '\0';
            password = p;
            passlen = decodeenc(password);
        }
        userlen = decodeenc(user);
        nocache = 1; /* don't cache when a username is supplied */
    } else
    {
        user = "anonymous";
        userlen = 9;
    
        password = "proxy_user@apache_host.org";
        passlen = strlen(password);
    }
...

I will check this specific case, 'cause if it's doing what Kyle claims, it's
most definitely a serious bug. In addition, though unfortunate, the
password is currently passed in the clear on the net. This should be
addressed in future.

chuck
Chuck Murcko	N2K Inc.	Wayne PA	chuck@telebase.com
And now, on a lighter note:
Slang is language that takes off its coat, spits on its hands, and goes
to work.

Mime
View raw message