Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: RSnake (rsnakeshocking.com)
Date: Fri Apr 26 2002 - 11:09:11 CDT
Okay, I wasn't going to comment on this, but no, that will only solve a
very small part of the problem. What about SSI? CGI? If you allow .htaccess
files to override settings I can turn FollowSymLinks back on. There are nearly
as many ways around this as ways to fix it. The only good way to fix this that
I have heard of is to make a chrooted jail (http://jailnotes.cg.nu/) for each
user, and give them access to their own virtual machine.
The problem is that http runs as the www or nobody or whathaveyou user.
All content has to be viewable by that single user. Even if you could stop all
that nonesense and chmoded all the dirs to 711 so the malicious user couldn't
easily navigate around, a user could still cd into the public directory of the
victim's account and simply follow the links around until they located the
secret dir, and read or copy the .htpasswd file or what ever strikes thier
fancy (except edit, assuming you aren't a complete idiot with permissions).
Oh, or you could pull a Geocities, and completely disallow shell access
to the box. Not too classy, but it worked. Basically, if you don't trust your users that you give access to your machine, you should jail them,
give them very restricted access to their own box, put in acl rules to make
sure they are logging in from approved hosts, use skey/secureid, syslog to
another host, etc... etc... You get the idea.
On Thu, 25 Apr 2002, Golden_Eternity wrote:
| Date: Thu, 25 Apr 2002 09:17:12 -0700
| From: Golden_Eternity <bhodi_jabiryahoo.com>
| To: Hallberg Tom <tom.hallbergrfv.sfa.se>, bugtraqsecurityfocus.com
| Cc: vuln-devsecurity-focus.com
| Subject: RE: apache + .htpasswd - bypass pwd check
| You need to turn off FollowSymLinks in the */public_html/ directories.
| > -----Original Message-----
| > From: Hallberg Tom [mailto:tom.hallbergrfv.sfa.se]
| > Sent: Thursday, April 25, 2002 12:45 AM
| > To: bugtraqsecurityfocus.com
| > Cc: vuln-devsecurity-focus.com
| > Subject: apache + .htpasswd - bypass pwd check
| > Hi
| > yesterday I managed to bypass the pwd check when using .htpasswd.
| > The problem
| > now is that Im not sure how to secure it.
| > Okej let say that user ivan have protected his
| > /home/ivan/public_html/topsecret
| > directory. And on the samer server we have the user johan, from
| > his public_html
| > directory we make an symlink ln -s /home/ivan/public_html/topsecret test
| > okej so then johan tries http://www.hostname.whatever/~johan/test
| > he will end up in ivan' s topsecret directory..
| > So what have I missed in my httpd.conf or something else? :)
| > thanx
| > /Tom
RRrRRRr. | RSnake at shocking dot com 0x7A69
RR' `RR | EHAP Founder / WebFringe.com Founder
RR | He who made kittens put snakes in the grass.
RR | DSS:5923 76D7 0EC2 4553 7195 442B 8596 4849 2AA6 1F64
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to
this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is
expressly prohibited and may be unlawful.