Okay, I wasn't going to comment on this, but no, that will only solve a very small part of the problem. What about SSI? CGI? If you allow .htaccess files to override settings I can turn FollowSymLinks back on. There are nearly as many ways around this as ways to fix it. The only good way to fix this that I have heard of is to make a chrooted jail (http://jailnotes.cg.nu/) for each user, and give them access to their own virtual machine. The problem is that http runs as the www or nobody or whathaveyou user. All content has to be viewable by that single user. Even if you could stop all that nonesense and chmoded all the dirs to 711 so the malicious user couldn't easily navigate around, a user could still cd into the public directory of the victim's account and simply follow the links around until they located the secret dir, and read or copy the .htpasswd file or what ever strikes thier fancy (except edit, assuming you aren't a complete idiot with permissions). Oh, or you could pull a Geocities, and completely disallow shell access to the box. Not too classy, but it worked. Basically, if you don't trust your users that you give access to your machine, you should jail them, give them very restricted access to their own box, put in acl rules to make sure they are logging in from approved hosts, use skey/secureid, syslog to another host, etc... etc... You get the idea. On Thu, 25 Apr 2002, Golden_Eternity wrote: | Date: Thu, 25 Apr 2002 09:17:12 -0700 | From: Golden_Eternity <bhodi_jabirat_private> | To: Hallberg Tom <tom.hallbergat_private>, bugtraqat_private | Cc: vuln-dev@security-focus.com | Subject: RE: apache + .htpasswd - bypass pwd check | | You need to turn off FollowSymLinks in the */public_html/ directories. | | > -----Original Message----- | > From: Hallberg Tom [mailto:tom.hallbergat_private] | > Sent: Thursday, April 25, 2002 12:45 AM | > To: bugtraqat_private | > Cc: vuln-dev@security-focus.com | > Subject: apache + .htpasswd - bypass pwd check | > | > | > Hi | > | > yesterday I managed to bypass the pwd check when using .htpasswd. | > The problem | > now is that Im not sure how to secure it. | > | > Okej let say that user ivan have protected his | > /home/ivan/public_html/topsecret | > directory. And on the samer server we have the user johan, from | > his public_html | > directory we make an symlink ln -s /home/ivan/public_html/topsecret test | > okej so then johan tries http://www.hostname.whatever/~johan/test | > he will end up in ivan' s topsecret directory.. | > | > So what have I missed in my httpd.conf or something else? :) | > | > thanx | > /Tom | > | RRrRRRr. | RSnake at shocking dot com 0x7A69 RR' `RR | EHAP Founder / WebFringe.com Founder RR | He who made kittens put snakes in the grass. RR | DSS:5923 76D7 0EC2 4553 7195 442B 8596 4849 2AA6 1F64 The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is expressly prohibited and may be unlawful.
This archive was generated by hypermail 2b30 : Fri Apr 26 2002 - 11:24:48 PDT