Potential HTTP Security Risk

   I apologize if this has been discussed--I've gotten behind 
in my reading as I head down the final stretch to by book deadline. 

   I just noticed in the WWW Security FAQ a notation that some 
servers, including NCSA, allow the file ".htaccess" to be retrieved. 
I tried it with my Apache 1.0 server and I got the file. 

   Perhaps the following modification of the proposed section 12.5 
would help: (change marks in the left column are relative to Paul 
Hoffman's message that began this thread)

 | 12.5  Attacks Based On URL Contents

   Implementations of the HTTP servers should be careful to restrict the
   documents returned by HTTP requests to be only those that were intended
   by the administrators. If an HTTP server translates HTTP URIs directly
   into file system calls, the server must take special care not to serve
   files outside the desired directory tree. For example, Unix, Microsoft
   Windows, and other operating systems use ".." as a path component to
   indicate a directory level above the current one. A URL with such
   constructs can be constructed to potentially allow access to files
   outside the desired directory structure, and should thus be disallowed.

 + Many servers implement a system of access-control files within the 
 + document directory tree that may contain sensitive security- or 
 + implementation-related information. A URL which references a filename 
 + which is used for access-control files, or a filename pattern 
 + commonly used for system files (e.g. "/." for Unix systems, or ".PWL" 
 + for Microsoft Windows systems), should be disallowed. A server should 
 + make a configuration option available to the system administrator to 
 + ensure that this protection is made sufficiently flexible for 
 + site-specific security considerations. 

 * BearHeart / Bill Weinman 
 * BearHeart@bearnet.com *            * http://www.bearnet.com/ *
 * Author of The CGI Book:    * http://www.bearnet.com/cgibook/ *
 * "To enjoy life, take big bites. Moderation is for monks." 
                                                       --Lazarus Long

Received on Wednesday, 27 December 1995 15:51:20 UTC