[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] SMB Group Shares Vulnerable to Web Access

Subject: Re: [cobalt-security] SMB Group Shares Vulnerable to Web Access
From: Jeff Bilicki <jeffb@xxxxxxxxxx>
Date: Fri, 24 Mar 2000 10:42:26 -0800

Hello,
    Yes, a .htaccess file will solve this problem, it can make anyone
attempting to access the directory through the web provide a user name
and password.   Also, having an index.html file with just,
<html><head></head><body></body></html>, will stop people from being
able to browse the directory tree. 

Jeff-


Malcolm McLeary wrote:
> 
> Guys,
> 
> I've been poking around a Qube2 and I'm a bit concerned about the lack of
> security or how vulnerable the SMB shares are due to the web service.
> 
> It may not be likely, but a web browser can gain read access to files in
> a group share (i.e /home/groups/groupname/) without having to supply a
> username and password if the name of a subdirectory is known or almost
> any file if index.html is not present as the web server returns the index
> for the directory.
> 
> Am I missing something here?
> 
> Is there a config option to change the behaviour of the web server such
> that it will NOT return an index when the default page (index.html) is
> not present?
> 
> What is the scope of a .htaccess file?  Does it control access to just
> the directory its in, or subdirectories as well?
> 
> Is it possible to simply enble/disable web access to group directories on
> a case by case basis (e.g on for /home/groups/home/ and
> /home/groups/intranet/, off for all other groups)?
> 
> Cheers,  Malcolm
> 
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> 
>                        Information Alchemy Pty Ltd
>                              ACN 089 239 305
>                            Canberra, Australia
> 
> Malcolm McLeary                                  Mobile:   0412 636 086
> Managing Director                                Email:  mim@xxxxxxxxxx
> 
>      This message was sent using Claris Emailer 2.0v3 for Macintosh.
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

References:
- [cobalt-security] SMB Group Shares Vulnerable to Web Access
  - From: Malcolm McLeary

Prev by Date: [cobalt-security] SMB Group Shares Vulnerable to Web Access
Next by Date: Re: [cobalt-security] SMB Group Shares Vulnerable to Web Access
Previous by thread: [cobalt-security] SMB Group Shares Vulnerable to Web Access
Next by thread: Re: [cobalt-security] SMB Group Shares Vulnerable to Web Access

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index