Subject: Re: apache proxy cache (fwd)
To: new-httpd@hyperreal.com
Date: Thu, 3 Oct 1996 23:13:18 +0100 (BST)
From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
In-Reply-To: <199610032151.RAA22569@telebase.com.> from "Chuck Murcko" at Oct
 3, 96 05:51:34 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID: <9610032313.aa05153@gonzo.ben.algroup.co.uk>
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

Chuck Murcko wrote:
> 
> Ben Laurie liltingly intones:
> > 
> > Rob Hartill wrote:
> > > 
> > > 
> > > not acked
> > > 
> > > ----- Forwarded message from Kyle McCrindle -----
> > > 
> > > I have noticed a security misgiving in apache's proxy cache of ftp
> > > servers.
> > > 
> > > The directory, /usr/local/lib/httpd.proxy/cache/ftp, is naturally a
> > > top-level list of all cached sites.  A problem arises if an ftp URL is
> > > used to access a password protected site (ie. through a browser).  A url
> > > of good form would be:
> > > 
> > > 	ftp://user:password@ftp.private.data.com/
> > > 
> > > Firstly, this represents personal space (home directory on unix) and
> > > should not be cached (is it?).
> > 
> > Whether it should be cached is moot. Clearly it should only be cached if it
> > can be done securely. But, this applies to a wider and less clearly defined set
> > of URLs.
> 
> Roger that. Initial solution thought is not to cache non-anonymous stuff,
> but that could only be an interim approach. In fact that's what's supposed
> to be happening now.
> > 
> > > Secondly, a cache directory is created
> > > and called:
> > > 	/usr/.../cache/ftp/user:password@ftp.private.data.com
> > 
> > Really? Last time I looked the proxy used the MD5 hash of the URL. Unless this
> > has been changed, which I sincerely hope it hasn't, this is simply not true.
> > 
> Nope, it has most definitely not changed. From the new ftp code (this is
> similar to the old ftp code):
> 
> ...
> /* find password */
>         p = strchr(user, ':');
>         if (p != NULL) 
>         { 
>             *(p++) = '\0';
>             password = p;
>             passlen = decodeenc(password);
>         }
>         userlen = decodeenc(user);
>         nocache = 1; /* don't cache when a username is supplied */
>     } else
>     {
>         user = "anonymous";
>         userlen = 9;
>     
>         password = "proxy_user@apache_host.org";
>         passlen = strlen(password);
>     }
> ...
> 
> I will check this specific case, 'cause if it's doing what Kyle claims, it's
> most definitely a serious bug. In addition, though unfortunate, the
> password is currently passed in the clear on the net. This should be
> addressed in future.

Ah, yes. Well ... I admit I never played with FTP - in fact, wasn't it not
there when I was messing with the proxy? Anyway, I assumed that it used the
same technique as the HTTP proxy (which it damn well should) and used the MD5
hash of the URL as the filename (split into directory levels).

Then at least the password is not in the clear. It doesn't help with the
contents, of course, though the truly paranoid could use the password as a key
to encrypt the contents. This would, of course, make Apache a munition.

If the cache itself is protected, none of this matters, of course.

Cheers,

Ben.

> 
> chuck
> Chuck Murcko	N2K Inc.	Wayne PA	chuck@telebase.com
> And now, on a lighter note:
> Slang is language that takes off its coat, spits on its hands, and goes
> to work.

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.            Apache Group member (http://www.apache.org)