- From: BearHeart / Bill Weinman <BearHeart@bearnet.com>
- Date: Wed, 27 Dec 95 18:45 CST
- To: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
I apologize if this has been discussed--I've gotten behind in my reading as I head down the final stretch to by book deadline. I just noticed in the WWW Security FAQ a notation that some servers, including NCSA, allow the file ".htaccess" to be retrieved. I tried it with my Apache 1.0 server and I got the file. Perhaps the following modification of the proposed section 12.5 would help: (change marks in the left column are relative to Paul Hoffman's message that began this thread) | 12.5 Attacks Based On URL Contents Implementations of the HTTP servers should be careful to restrict the documents returned by HTTP requests to be only those that were intended by the administrators. If an HTTP server translates HTTP URIs directly into file system calls, the server must take special care not to serve files outside the desired directory tree. For example, Unix, Microsoft Windows, and other operating systems use ".." as a path component to indicate a directory level above the current one. A URL with such constructs can be constructed to potentially allow access to files outside the desired directory structure, and should thus be disallowed. + Many servers implement a system of access-control files within the + document directory tree that may contain sensitive security- or + implementation-related information. A URL which references a filename + which is used for access-control files, or a filename pattern + commonly used for system files (e.g. "/." for Unix systems, or ".PWL" + for Microsoft Windows systems), should be disallowed. A server should + make a configuration option available to the system administrator to + ensure that this protection is made sufficiently flexible for + site-specific security considerations. +----------------------------------------------------------------------+ * BearHeart / Bill Weinman * BearHeart@bearnet.com * * http://www.bearnet.com/ * * Author of The CGI Book: * http://www.bearnet.com/cgibook/ * * "To enjoy life, take big bites. Moderation is for monks." --Lazarus Long
Received on Wednesday, 27 December 1995 15:51:20 UTC