[3540] in WWW Security List Archive
Re: Alta Vista may or may not harvest unadvertised documents
daemon@ATHENA.MIT.EDU (Myrddin)
Thu Nov 14 14:11:15 1996
Date: Thu, 14 Nov 1996 17:31:37 +0100 (MET)
From: Myrddin <myrddin@apis.de>
To: Steven Bellovin <smb@research.att.com>
cc: "David M. Chess" <CHESS@watson.ibm.com>, www-security@ns2.rutgers.edu
In-Reply-To: <199611131832.NAA26817@raptor.research.att.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 13 Nov 1996, Steven Bellovin wrote:
> > True, but almost all of the risk is eliminated if you provide the
> > index.html or what ever your server requires to block enumeration
> > of all files in a directory. While the files may still be accessibl
> e,
> > it would take a real guessing game to find the names.
>
> Or it would take some harvester accessing the directory URL
> during the one period when you'd accidentally erased the
> index.html, or you were in the middle of updating it in a
> way that kept the server from seeing it, or it's the one
> directory where you forgot to put an index.html, or you
> spelled its name wrong, or used home.html instead because
> you'd just been working with another brand of server, or... *8)
>
> Depending on just how secret the stuff in the directory is,
> of course, this may be a tiny enough risk not to matter. But
> as a matter of policy relying on having an index.html to
> block the enumeration, and no one guessing the filenames,
> is probably a tad weak! (Maybe I'm just paranoid from having
> read RISKS too much this morning...)
>
> No, you're not paranoid, you're properly cautious.
>
> Blatant assertion: servers should refuse to deal with directories without
> explicit index.html files. If it's not there, the directory won't be
> served. I'd like a further check to guard against folks asking for
> directory/.htpasswd and the like -- none of their business. It's easy
> to assert that the server shouldn't pass back . files, and maybe some
> are like that already. But the bottom line is that files should be
> retrievable if and only if someone has taken positive action to make them
> so.
>
You can also save the directory as index.html and erase all important
data, put some fake files into it so that the casual investigation will
only reveal a boring directory
Michael
