|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: htaccess with apache
From: António Vasconcelos (vasco
all-2-it.com)
Date: Fri Nov 07 2003 - 08:12:34 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Tim Greer wrote:
>> the traditional buffer overflow in malloc() and
>>memcpy() or strcpy() shows just that.
>>
>>
>
>How is this relevant to the permissions on passwd?
>
>
Just to show how easy is to do something that looks to be inocent and
turns out to be a major security problem.
>(unless your server isn't set up well), and save the resources since
>your server is secured properly. Oh well, to each their own, but I have
>to wonder when people make a big deal about something that's not.
>
>
I'm not talking about good/bad server setup.
It's just that the username/password authentication mecanism is a weak
one, and I know that, if possible, users will use a bad or easy to guess
password.
My experience tells me that about 10% of the users _do_ choose a pasword
that can be retrived just from the username and GECOS fields, plus one
or two digits.
So, disclosing the /etc/passwd file is something that should not be
done, and should not be regarded as trivial.
As it _may_ contain info valuable for someone that wants to break into
your sistem.
You should not regard anithing as trivial just because you don't know
how (or if) it can be used against you.
--
António Vasconcelos
/(Administrador de Sistemas)
ALL2IT-Infocomunicações, SA
Torre de Monsanto, 6º Piso
Miraflores, Algés
PORTUGAL
Telf.: + 351 21 412 39 50
Fax.: + 351 21 410 51 94/
*CONFIDENCIAL*: Esta mensagem contém informação confidencial ou material
privilegiado, e é só intencionada para os seus destinatários. De acordo
com a lei em vigor, se um erro originou que tenha recebido esta mensagem
por engano pedimos que, de imediato, notifique o remetente e a apague do
seu sistema sem a reproduzir.
*CONFIDENTIAL*: This e-mail contains proprietary information, some or
all of which may be legally privileged. It is for the intended
recipients only. According to the law in force, if an addressing or
transmission error has misdirected this e-mail, please notify the author
by replying to this e-mail and delete it from your system without
retaining a copy.
...................................................................................
Scanned OK by ALL-2-IT Anti-Virus Gateway
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]