httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Apache already has better security than IIS4?!?
Date Sat, 03 Jan 1998 04:30:42 GMT
Let me say that I am concerned about the security of Apache on NT because,
as with any issues, there are details unique to NT that need to be
addressed and I am not yet convinced they have been fully addressed. 

I would think that IIS4 would be better at things like this.

So I decided to take a look to see what it did with a few things, for
reference.  I added access control to a file called "secretfile".  I
denied access from all clients.  That worked fine and denied access.  I
accessed "SECRET~1" (or whatever the 8.3 name is...).  It permitted
access.  NT4, SP3, IIS4, NTFS. 

Am I crazy!?!?

This is a wee security hole that makes access restrictions on any
translated (not necessarily just files longer than 8.3, since NT likes
doing mappings with other names sometimes...), no? 

Does IIS3 do the same thing?


Mime
View raw message