[1089] in WWW Security List Archive
Re: Unix links subverting Web security
daemon@ATHENA.MIT.EDU (sameer)
Fri Oct 27 02:48:43 1995
From: sameer <sameer@c2.org>
To: Steff.Watkins@Bristol.ac.uk (Steff Watkins)
Date: Thu, 26 Oct 1995 21:16:27 -0700 (PDT)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <9510261631.AA06763@sun.cse.bris.ac.uk> from "Steff Watkins" at Oct 26, 95 04:31:21 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Use SymlinksIfOwnerMatch -- I don't know if CERN supports
that, but I think Apache and NCSA 1.4 do.
>
> Hello all,
>
> forgive me if this is an 'FAQ' type of question.
>
> Using the CERN/3.0 WebServer (I haven't tried it with NCSA yet), I noticed
> the following.
>
> I logged in as myself (in normal user mode), changed to the 'USER_DIR' of my
> account and then did the following:
>
> ln -s /etc/passwd test.doc
>
> I then called this file across the network from another machine (albeit
> within the .bris.ac.uk domain) using netscape and the simple user specific
> URL of '~ccsw/test.doc'.
>
> What I got back was a nicely pre-formatted copy of my '/etc/passwd' file.
>
> Now, some of our systems DON'T use shadow passwords (not my fault,
> honest!).. and that meant that not only did I get a list of all the
> usernames, but also the passwords associated with them.
>
> Now, knowing of the strengths of Crack and such like, and the dumb things
> our local users do, this constitutes a potential security hole.
>
> So, the question is:
>
> Is there a standard way of stopping this, by configuration or some other
> means at source, that is the WebServer itself? Or, do I have to ritually
> scan my filesystem for links to potentially dangerous systems files and
> delete them??
>
> Steff
>
> : University of Bristol Steff.Watkins@bris.ac.uk
> : URL: http://sw.cse.bris.ac.uk/ <= As mentioned in Wired 1.04+
> : Making a fire so big the gods will notice me again!!!
>
>
--
sameer Voice: 510-601-9777
Community ConneXion FAX: 510-601-9734
The Internet Privacy Provider Dialin: 510-658-6376
http://www.c2.org (or login as "guest") sameer@c2.org
