httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Murcko <ch...@telebase.com>
Subject apache proxy cache (fwd)
Date Fri, 04 Oct 1996 04:23:36 GMT
Kyle, here is a more in-depth answer to your query. Apache's proxy
creates a 22 byte MD5 hash for naming its cache directories, so it is
not possible by examining the directory structure only to determine
origin, owner, etc. of the cached content. Clearly, more info can
be gotten by examining the content in the cache directories themselves.

It is possible to give some protection to the cache directory by using the
<Directory> and <Limit> configuration directives to restrict browser
access to the cache tree itself.

Regarding FTP proxying, only anonymous FTP data is cached. User/password
data is specifically *not* cached by the proxy.

This data is, however, displayed in the directory listings returned to
the browser by the FTP proxy. This feature (directory display) was not
functional in the 1.1 FTP proxy handler, but is working in the 1.2
version (soon to go into beta test). I will make the necessary changes to
block display of the password data, which could be viewed by passers-by.

I hope this answers your questions more fully.

> ----- Forwarded message from Kyle McCrindle -----
> 
> Message-ID: <32542679.13CC@nettestca.gn.com>
> Date: Thu, 03 Oct 1996 13:47:53 -0700
> From: Kyle McCrindle <kyle@nettestca.gn.com>
> Reply-To: kyle@nettestca.gn.com
> Organization: GN Nettest (Canada), Inc.
> X-Mailer: Mozilla 3.0Gold (Win16; I)
> MIME-Version: 1.0
> To: apache-bugs@mail.apache.org
> Subject: apache proxy cache
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> 
> I have noticed a security misgiving in apache's proxy cache of ftp
> servers.
> 
> The directory, /usr/local/lib/httpd.proxy/cache/ftp, is naturally a
> top-level list of all cached sites.  A problem arises if an ftp URL is
> used to access a password protected site (ie. through a browser).  A url
> of good form would be:
> 
> 	ftp://user:password@ftp.private.data.com/
> 
> Firstly, this represents personal space (home directory on unix) and
> should not be cached (is it?).  Secondly, a cache directory is created
> and called:
> 	/usr/.../cache/ftp/user:password@ftp.private.data.com
> 
> Clearly, the password is visible as part of the directory name.
> 
> I am not familiar with apache httpd or the dynamics of other httpd
> servers, but is this intended, appropriate, documented, configurable?
> 
> 		-- Kyle McCrindle
> 
> -- 
> Kyle McCrindle                       internet: kyle@nettestca.gn.com
> GN Nettest (Navtel Division)         voice: 905-479-8090
> R&D Software Engineer                fax: 905-475-6524
> =======================================================================
> 
> 
> ----- End of forwarded message from Kyle McCrindle -----

chuck
Chuck Murcko	N2K Inc.	Wayne PA	chuck@telebase.com
And now, on a lighter note:
We're only in it for the volume.
		-- Black Sabbath

Mime
View raw message