httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Possible security problem?
Date Thu, 14 Nov 1996 14:53:28 GMT
Some very valid points here... I'm kind of inclined to see what I can do about



Steven Bellovin wrote:
> From!!!owner-www-security
Thu Nov 14 14:39:07 1996
> Message-Id: <>
> To: "David M. Chess" <>
> cc:
> Subject: Re: Alta Vista may or may not harvest unadvertised documents 
> Date: Wed, 13 Nov 1996 13:32:31 -0500
> From: Steven Bellovin <>
> Sender:
> Precedence: bulk
> Errors-To: owner-www-security@ns2.Rutgers.EDU
> 	 > True, but almost all of the risk is eliminated if you provide the
> 	 > index.html or what ever your server requires to block enumeration
> 	 > of all files in a directory.  While the files may still be accessibl
> 	e,
> 	 > it would take a real guessing game to find the names.
> 	 Or it would take some harvester accessing the directory URL
> 	 during the one period when you'd accidentally erased the
> 	 index.html, or you were in the middle of updating it in a
> 	 way that kept the server from seeing it, or it's the one
> 	 directory where you forgot to put an index.html, or you
> 	 spelled its name wrong, or used home.html instead because
> 	 you'd just been working with another brand of server, or...   *8)
> 	 Depending on just how secret the stuff in the directory is,
> 	 of course, this may be a tiny enough risk not to matter.  But
> 	 as a matter of policy relying on having an index.html to
> 	 block the enumeration, and no one guessing the filenames,
> 	 is probably a tad weak!  (Maybe I'm just paranoid from having
> 	 read RISKS too much this morning...)
> No, you're not paranoid, you're properly cautious.
> Blatant assertion:  servers should refuse to deal with directories without
> explicit index.html files.  If it's not there, the directory won't be
> served.  I'd like a further check to guard against folks asking for
> directory/.htpasswd and the like -- none of their business.  It's easy
> to assert that the server shouldn't pass back . files, and maybe some
> are like that already.  But the bottom line is that files should be
> retrievable if and only if someone has taken positive action to make them
> so.

Ben Laurie                Phone: +44 (181) 994 6435  Email:
Freelance Consultant and  Fax:   +44 (181) 994 6472
Technical Director        URL:
A.L. Digital Ltd,         Apache Group member (
London, England.          Apache-SSL author

View raw message