httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodent of Unusual Size <Ken.C...@Golux.Com>
Subject Re: cvs commit: httpd-2.0/modules/generators mod_autoindex.c
Date Tue, 05 Feb 2002 11:36:31 GMT
jwoolley@apache.org wrote:
> 
>   List files that would result in HTTP_UNAUTHORIZED in addition to
>   successes and redirections, since there's a chance the client will
>   actually have the proper authorization to retrieve them.

-1 (yes, a veto).  Standard security practice: you don't
expose even meta-information without knowing the user can
access it.  Unixish systems have broken with this practice
since day one by making /etc/passwd readable, but it's still
visible in the login sequence: you get asked for a password
even if the username exists, and the 'login incorrect'
doesn't tell you that it failed because of an invalid username.

Exposing the existence of something without knowing that the
user can access it provides a definite target for probing and
attack.
-- 
#ken	P-)}

Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
Author, developer, opinionist      http://Apache-Server.Com/

"Millennium hand and shrimp!"

Mime
View raw message