W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1995

Re: Potential HTTP Security Risk

From: BearHeart / Bill Weinman <BearHeart@bearnet.com>
Date: Sat, 30 Dec 1995 11:36:08 -0600
Message-Id: <199512301736.LAA12781@primus.paranoia.com>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
At 10:07 am 12/28/95 -0600, John Franks wrote:
>all for warnings it the HTTP specification, but it is not very
>realistic to think that any collection of warnings will really remedy
>the situation.  You simply can't warn against all the possible risks
>associated with this design.

   That's why I suggested language that would suggest that the 
server have a configuration option for the sysadmin to specify 
wild-cards that would protect against classes of files: 

>>  + which is used for access-control files, or a filename pattern 
>>  + commonly used for system files (e.g. "/." for Unix systems, or ".PWL" 
>>  + for Microsoft Windows systems), should be disallowed. A server should 

   That way, I could have entries like this in my access.conf 
file: 

<Directory /web/doctree>
<Limit GET>
order allow,deny
allow from all
deny files "..*"
deny files ".*"
deny files "*.cgi"
deny files "nph-*"
</Limit>
</Directory>

   Currently, I have a server that I'm planning to put on the net. 
I am the only user on the system so I didn't see any particular 
risk in having local ACFs in the filesystem until I realized that 
they could be retrieved by a GET. If I could restrict them as 
I've shown here, I would be able to use them. 



+----------------------------------------------------------------------+
 * BearHeart / Bill Weinman 
 * BearHeart@bearnet.com *            * http://www.bearnet.com/ *
 * Author of The CGI Book:    * http://www.bearnet.com/cgibook/ *
 * "To enjoy life, take big bites. Moderation is for monks." 
                                                       --Lazarus Long
Received on Saturday, 30 December 1995 09:39:33 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:38 EDT