httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "R.J. Kraaij" <terdu...@worldonline.nl>
Subject [ apache on win32 Service /network shares]
Date Mon, 01 Feb 1999 10:50:11 GMT

Hi, this is my first post here, so if i'm doing something wrong,
Please Tell it me personally :o) 

>     * who should run the service?  Who exactly is the "system account"?
>       That _really_ sucks.  Can we recommend running Apache as some 
>       other user?
The Service uses it accounts it's running on to  Hand it over to called
devices. However there are expection. For instance, Pathworks On NT. When
having a user logged into the system and having a drive mapped, the
service is capable of access the drive by using the users credits..

This is one of the leaks i personaly experimented. Microsoft iis3 is also
vurnerable for this leak. infact, we have been using this trick
ourself, to let us access certain shares with permission problems...

So _high_ care should be taken when logging into a system where a
Webserver is running. be sure your not using a rare networkmapping Client.

because, then, a user, with access to any server scripting, could,
Theoritically (and practilly, tested by myself) access Your mapped Network
devices using _your_ account. (just by doing a openfile on your
Mappedletter:\Drive\

this does not count for smb network shares.


----
Background of author: I'm Running 5 Intranet webservers on IIS, 
And an Internet-Apache-Module-Chatserver.


   -- Reinder Kraaij





Mime
View raw message