httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Possible security problem?
Date Thu, 14 Nov 1996 14:53:28 GMT
Some very valid points here... I'm kind of inclined to see what I can do about
this.

Cheers,

Ben.

Steven Bellovin wrote:
> From heap.ben.algroup.co.uk!arachnet-fw.algroup.co.uk!ns2.rutgers.edu!owner-www-security
Thu Nov 14 14:39:07 1996
> Message-Id: <199611131832.NAA26817@raptor.research.att.com>
> To: "David M. Chess" <CHESS@watson.ibm.com>
> cc: www-security@ns2.rutgers.edu
> Subject: Re: Alta Vista may or may not harvest unadvertised documents 
> Date: Wed, 13 Nov 1996 13:32:31 -0500
> From: Steven Bellovin <smb@research.att.com>
> Sender: owner-www-security@ns2.rutgers.edu
> Precedence: bulk
> Errors-To: owner-www-security@ns2.Rutgers.EDU
> 
> 	 > True, but almost all of the risk is eliminated if you provide the
> 	 > index.html or what ever your server requires to block enumeration
> 	 > of all files in a directory.  While the files may still be accessibl
> 	e,
> 	 > it would take a real guessing game to find the names.
> 	 
> 	 Or it would take some harvester accessing the directory URL
> 	 during the one period when you'd accidentally erased the
> 	 index.html, or you were in the middle of updating it in a
> 	 way that kept the server from seeing it, or it's the one
> 	 directory where you forgot to put an index.html, or you
> 	 spelled its name wrong, or used home.html instead because
> 	 you'd just been working with another brand of server, or...   *8)
> 	 
> 	 Depending on just how secret the stuff in the directory is,
> 	 of course, this may be a tiny enough risk not to matter.  But
> 	 as a matter of policy relying on having an index.html to
> 	 block the enumeration, and no one guessing the filenames,
> 	 is probably a tad weak!  (Maybe I'm just paranoid from having
> 	 read RISKS too much this morning...)
> 
> No, you're not paranoid, you're properly cautious.
> 
> Blatant assertion:  servers should refuse to deal with directories without
> explicit index.html files.  If it's not there, the directory won't be
> served.  I'd like a further check to guard against folks asking for
> directory/.htpasswd and the like -- none of their business.  It's easy
> to assert that the server shouldn't pass back . files, and maybe some
> are like that already.  But the bottom line is that files should be
> retrievable if and only if someone has taken positive action to make them
> so.

-- 
Ben Laurie                Phone: +44 (181) 994 6435  Email: ben@algroup.co.uk
Freelance Consultant and  Fax:   +44 (181) 994 6472
Technical Director        URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd,         Apache Group member (http://www.apache.org)
London, England.          Apache-SSL author

Mime
View raw message