httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: make use of fs ACLs
Date Tue, 05 Jun 2007 18:31:38 GMT
Peter Somogyi wrote:
> 
> Sorry, could you point there please? (I've already spent 4 hours for google 
> and grep on trunk, asked expert people here but couldn't find anything.)
> Do you mean the hole is in the auth way (we can use mod_auth_pam instead), or 
> in using fs ACLs instead of .htaccess?

Twofold; if there was a code execution vulnerability somewhere within the
in-process server stack, including scripting languages or running untrusted
code, those files a visible to nobody.  Essentially you are sharing the p/w
list with everyone on the machine to crack the hashed passwords or search
for their match.

Secondly, unless ssl/tls is in use, the p/w's can be sniffed over the wire.
If these are also your ssh login accounts... well, you can figure out the
rest.

Mime
View raw message