[3602] in WWW Security List Archive
.htaccess created by CGI script...
daemon@ATHENA.MIT.EDU (Harris Demel)
Thu Nov 21 21:12:54 1996
Date: Thu, 21 Nov 1996 15:33:40 -0700
From: Harris Demel <HARRIS@novell.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Thanks to all who replied to my previous stream re: allowing a user to
update an .htaccess file on the server.
IP spoofing is very easy to do with .htaccess files, especially within an
intranet (people on same subnets). Using passwords would be more
secure than IP addresses (or machine names) but again, people could
sniff the passwords off the wire as they are sent in clear-text.
Someone mentioned that I had neglected to mention the possibility of
someone getting their hands on someone else's keyboard while that
person was away from their desk. Yes, I did neglect to mention that
because that is always a security consideration. We could only hope
users know to secure their workstations when they're away from them.
Otherwise, the scope of access is not limited to just one web page --
They could access files on whatever servers the user is currently
authenticated or logged into.
Someone else mentioned something about a firewall -- As per my
previous message, this is an intranet solution only.
The solution I've put in place was this:
- A passworded CGI script which modifies the .htaccess file
- The CGI script adds IP addresses to the .htaccess file
- The sensitive directory is also passworded via .htaccess
While this may sound a bit heavy on the administrative side, it allows the
owner of the sensitive material to give/take access to and from users
without IS involvement. (The most damage she could do is accidentally
give access to the wrong IP address to her area, and yes she's aware of
this). The only way someone could get into the area is if:
- They know the IP address or addresses allowed access to the area
- They are able to spoof an IP address, meaning they're on the same
subnet
- They know the generic .htaccess password on that directory
Those are some pretty tough obstacles, and if someone can still get
through all that, then they obviously have too much time on their hands
and one must question why someone inside our own company wants to
ambush it?
- Harris Demel
Novell, Inc. InnerWeb Webmaster
