[3610] in WWW Security List Archive
Re: .htaccess created by CGI script...
daemon@ATHENA.MIT.EDU (Abigail)
Fri Nov 22 18:07:54 1996
To: HARRIS@novell.com (Harris Demel)
Date: Fri, 22 Nov 1996 15:17:14 -0500 (EST)
From: "Abigail" <abigail@ny.fnx.com>
Cc: www-security@ns2.rutgers.edu
Reply-To: abigail@ny.fnx.com
In-Reply-To: <s294768b.042@novell.com> from "Harris Demel" at Nov 21, 96 03:33:40 pm
Errors-To: owner-www-security@ns2.rutgers.edu
You, Harris Demel, wrote:
++
++ Thanks to all who replied to my previous stream re: allowing a user to
++ update an .htaccess file on the server.
++
++ IP spoofing is very easy to do with .htaccess files, especially within an
++ intranet (people on same subnets). Using passwords would be more
++ secure than IP addresses (or machine names) but again, people could
++ sniff the passwords off the wire as they are sent in clear-text.
++
++ Someone mentioned that I had neglected to mention the possibility of
++ someone getting their hands on someone else's keyboard while that
++ person was away from their desk. Yes, I did neglect to mention that
++ because that is always a security consideration. We could only hope
++ users know to secure their workstations when they're away from them.
++ Otherwise, the scope of access is not limited to just one web page --
++ They could access files on whatever servers the user is currently
++ authenticated or logged into.
++
++ Someone else mentioned something about a firewall -- As per my
++ previous message, this is an intranet solution only.
++
++ The solution I've put in place was this:
++ - A passworded CGI script which modifies the .htaccess file
++ - The CGI script adds IP addresses to the .htaccess file
++ - The sensitive directory is also passworded via .htaccess
++
++ While this may sound a bit heavy on the administrative side, it allows the
++ owner of the sensitive material to give/take access to and from users
++ without IS involvement. (The most damage she could do is accidentally
++ give access to the wrong IP address to her area, and yes she's aware of
++ this). The only way someone could get into the area is if:
++
++ - They know the IP address or addresses allowed access to the area
++
++ - They are able to spoof an IP address, meaning they're on the same
++ subnet
Or have access to some convenient placed routers.
++ - They know the generic .htaccess password on that directory
++
++ Those are some pretty tough obstacles, and if someone can still get
++ through all that, then they obviously have too much time on their hands
++ and one must question why someone inside our own company wants to
++ ambush it?
But now you are still sending the password/new IP number as clear-text
over the net. If you are using a CGI program to avoid sending passwords
as clear text, but you send a clear-text password to the program,
doesn't that defeat the purpose?
Abigail
