httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: apache proxy cache (fwd)
Date Thu, 03 Oct 1996 18:19:13 GMT
Rob Hartill wrote:
> 
> 
> not acked
> 
> ----- Forwarded message from Kyle McCrindle -----
> 
> Message-ID: <32542679.13CC@nettestca.gn.com>
> Date: Thu, 03 Oct 1996 13:47:53 -0700
> From: Kyle McCrindle <kyle@nettestca.gn.com>
> Reply-To: kyle@nettestca.gn.com
> Organization: GN Nettest (Canada), Inc.
> X-Mailer: Mozilla 3.0Gold (Win16; I)
> MIME-Version: 1.0
> To: apache-bugs@mail.apache.org
> Subject: apache proxy cache
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> 
> I have noticed a security misgiving in apache's proxy cache of ftp
> servers.
> 
> The directory, /usr/local/lib/httpd.proxy/cache/ftp, is naturally a
> top-level list of all cached sites.  A problem arises if an ftp URL is
> used to access a password protected site (ie. through a browser).  A url
> of good form would be:
> 
> 	ftp://user:password@ftp.private.data.com/
> 
> Firstly, this represents personal space (home directory on unix) and
> should not be cached (is it?).

Whether it should be cached is moot. Clearly it should only be cached if it
can be done securely. But, this applies to a wider and less clearly defined set
of URLs.

> Secondly, a cache directory is created
> and called:
> 	/usr/.../cache/ftp/user:password@ftp.private.data.com

Really? Last time I looked the proxy used the MD5 hash of the URL. Unless this
has been changed, which I sincerely hope it hasn't, this is simply not true.

Cheers,

Ben.

> 
> Clearly, the password is visible as part of the directory name.
> 
> I am not familiar with apache httpd or the dynamics of other httpd
> servers, but is this intended, appropriate, documented, configurable?
> 
> 		-- Kyle McCrindle
> 
> -- 
> Kyle McCrindle                       internet: kyle@nettestca.gn.com
> GN Nettest (Navtel Division)         voice: 905-479-8090
> R&D Software Engineer                fax: 905-475-6524
> =======================================================================
> 
> 
> ----- End of forwarded message from Kyle McCrindle -----
> 
> -- 
> Rob Hartill (robh@imdb.com)    
> http://www.imdb.com/  ... why wait for a clear night to see the stars?.

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.            Apache Group member (http://www.apache.org)

Mime
View raw message