OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: anonymous ftp server
From: C. Higgins (iceBLACKHAT.NET)
Date: Mon Sep 11 2000 - 00:24:48 CDT

Well, if you set it up as you mentioned, then I believe it will be okay.
If you only allow the indexing in the paticular directory, however there
are issues that come up regarding allowing global indexing(bad), which is
what I was writing about. Also, yeah be sure to control the write
permissions in the directory, anything that you make public needs to have
correct permissions and only permissions necessary, for instance, most
files can be chmod'd -wx and still be available correctly for the server.
Setting such permissions prevents a user from modifying the files in order
to get root somehow. You just have to take the time to set it up
correctly, and only turn on indexing for those folders that you MUST have
it in would be my suggestion.
- Clay

.-----------(( Reply!Separator ))------- ---- --- --- -- - -
| On 9/10/2000 at 8:52 PM, Joe Laffey wrote:

>On Sun, 10 Sep 2000, C. Higgins wrote:
>
>> That's very true, enabling a webservers fancyindex option can open up a
>> very large security hole.
>
>How is this a large security hole if you (correctly) only allow indexes
>for the particular directory in question? If you control write access to
>the directory what are the potential problems? (Of course you must set up
>ownership of the icons correctly too...)
>
>Thanks,
>
>Joe Laffey
>LAFFEY Computer Imaging
>St. Louis, MO
>-------------------------
>With no walls or fences on the Internet, who needs Windows or Gates?
>---------------------------------------------------------------------