|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: anonymous ftp server
From: QBA (kubarut
POCZTA.WP.PL)Date: Tue Sep 12 2000 - 10:09:43 CDT
- Next message: Owen Creger: "Re: samba binded int. secure?"
- Previous message: ksemat: "Re: network accounting"
- Maybe in reply to: QBA: "anonymous ftp server"
- Next in thread: Victor STANESCU: "Re: anonymous ftp server"
- Maybe reply: QBA: "Re: anonymous ftp server"
- Reply: Victor STANESCU: "Re: anonymous ftp server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, Sep 10, 2000 at 08:52:05PM -0500, Joe Laffey wrote:
> > That's very true, enabling a webservers fancyindex option can open up a
> > very large security hole.
>
> How is this a large security hole if you (correctly) only allow indexes
> for the particular directory in question? If you control write access to
> the directory what are the potential problems? (Of course you must set up
> ownership of the icons correctly too...)
I don't understand why ownership of the icons can be a security hole.
Lets imagine xxx.gif file with permissions -rwxrwxr-x user root group root.
Location of this icon is /home/httpd/icons (drwxr-xr-x root root).
And this file is available to download from www site that uses indexes.
So what benefits will a cracker get that spotted such a file?
Thank you for the explanation,
QBA
- Next message: Owen Creger: "Re: samba binded int. secure?"
- Previous message: ksemat: "Re: network accounting"
- Maybe in reply to: QBA: "anonymous ftp server"
- Next in thread: Victor STANESCU: "Re: anonymous ftp server"
- Maybe reply: QBA: "Re: anonymous ftp server"
- Reply: Victor STANESCU: "Re: anonymous ftp server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]