[3588] in WWW Security List Archive
CGI script to modify .htaccess for individual access by IP address
daemon@ATHENA.MIT.EDU (Prentiss Riddle)
Tue Nov 19 17:10:44 1996
From: Prentiss Riddle <riddle@is.rice.edu>
To: HARRIS@novell.com (Harris Demel)
Date: Tue, 19 Nov 1996 10:47:11 -0600 (CST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <s29090a1.057@novell.com> from "Harris Demel" at Nov 18, 96 04:35:41 pm
Errors-To: owner-www-security@ns2.rutgers.edu
> From owner-www-security@ns2.rutgers.edu Mon Nov 18 22:36:51 1996
> Date: Mon, 18 Nov 1996 16:35:41 -0700
> From: Harris Demel <HARRIS@novell.com>
> To: www-security@ns2.rutgers.edu
> Sender: owner-www-security@ns2.rutgers.edu
>
> A user has requested a mechanism which blocks all users from a local
> URL, but allows some specific users to access it. She also requested
> that she have control over the access list. She preferred that the set of
> users allowed access the area not be required to enter a password.
>
> I've created a script which enables her to effectively modify an
> '.htaccess' file in the directory which houses her sensitive files. The
> htaccess file denies all, but allows specific machines access (determined
> by IP address). This required me to set the owner of the htaccess file the
> same as the httpd daemon and open up permissions.
>
> The obvious threat is that anyone could run the cgi script and edit the
> htaccess file in that directory, but for that reason, I've htaccess'ed the cgi
> script.
>
> This solution allows easy access list administration, and the users can
> easily access the URL without entering a password.
>
> The question I have is what are the security risks here?
Without looking at your code I couldn't comment on the security of your
CGI script, except to say that "the devil is in the details".
However, there's another risk here which you don't address: is it
really safe to assume a 1:1 correspondence between users and IP
addresses? Under your scheme, anyone who has access (physical or
electronic) to the workstations listed in the .htaccess file would be
given access to the information; conversely, your trusted users will be
denied access if they come in from an unlisted IP address. In the
offices I'm familiar with, it's not uncommon for someone to sit down at
a colleague's computer, or to work from home or the road. Your
equation of IP address with an individual wouldn't work in this
environment, but perhaps your corporate culture is a little different.
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Home office: 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708
