Re: Potential HTTP Security Risk

At 10:07 am 12/28/95 -0600, John Franks wrote:
>all for warnings it the HTTP specification, but it is not very
>realistic to think that any collection of warnings will really remedy
>the situation.  You simply can't warn against all the possible risks
>associated with this design.

   That's why I suggested language that would suggest that the 
server have a configuration option for the sysadmin to specify 
wild-cards that would protect against classes of files: 

>>  + which is used for access-control files, or a filename pattern 
>>  + commonly used for system files (e.g. "/." for Unix systems, or ".PWL" 
>>  + for Microsoft Windows systems), should be disallowed. A server should 

   That way, I could have entries like this in my access.conf 

<Directory /web/doctree>
<Limit GET>
order allow,deny
allow from all
deny files "..*"
deny files ".*"
deny files "*.cgi"
deny files "nph-*"

   Currently, I have a server that I'm planning to put on the net. 
I am the only user on the system so I didn't see any particular 
risk in having local ACFs in the filesystem until I realized that 
they could be retrieved by a GET. If I could restrict them as 
I've shown here, I would be able to use them. 

 * BearHeart / Bill Weinman 
 * *            * *
 * Author of The CGI Book:    * *
 * "To enjoy life, take big bites. Moderation is for monks." 
                                                       --Lazarus Long

Received on Saturday, 30 December 1995 09:39:33 UTC