[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] SMB Group Shares Vulnerable to Web Access

Subject: Re: [cobalt-security] SMB Group Shares Vulnerable to Web Access
From: Jeff Bilicki <jeffb@xxxxxxxxxx>
Date: Fri, 24 Mar 2000 10:42:26 -0800

Hello,
    Yes, a .htaccess file will solve this problem, it can make anyone
attempting to access the directory through the web provide a user name
and password.   Also, having an index.html file with just,
<html><head></head><body></body></html>, will stop people from being
able to browse the directory tree. 

Jeff-


Malcolm McLeary wrote:
> 
> Guys,
> 
> I've been poking around a Qube2 and I'm a bit concerned about the lack of
> security or how vulnerable the SMB shares are due to the web service.
> 
> It may not be likely, but a web browser can gain read access to files in
> a group share (i.e /home/groups/groupname/) without having to supply a
> username and password if the name of a subdirectory is known or almost
> any file if index.html is not present as the web server returns the index
> for the directory.
> 
> Am I missing something here?
> 
> Is there a config option to change the behaviour of the web server such
> that it will NOT return an index when the default page (index.html) is
> not present?
> 
> What is the scope of a .htaccess file?  Does it control access to just
> the directory its in, or subdirectories as well?
> 
> Is it possible to simply enble/disable web access to group directories on
> a case by case basis (e.g on for /home/groups/home/ and
> /home/groups/intranet/, off for all other groups)?
> 
> Cheers,  Malcolm
> 
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> 
>                        Information Alchemy Pty Ltd
>                              ACN 089 239 305
>                            Canberra, Australia
> 
> Malcolm McLeary                                  Mobile:   0412 636 086
> Managing Director                                Email:  mim@xxxxxxxxxx
> 
>      This message was sent using Claris Emailer 2.0v3 for Macintosh.
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

References:
- [cobalt-security] SMB Group Shares Vulnerable to Web Access
  - From: Malcolm McLeary

Prev by Date: [cobalt-security] SMB Group Shares Vulnerable to Web Access
Next by Date: Re: [cobalt-security] SMB Group Shares Vulnerable to Web Access
Previous by thread: [cobalt-security] SMB Group Shares Vulnerable to Web Access
Next by thread: Re: [cobalt-security] SMB Group Shares Vulnerable to Web Access

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index

Sun Cobalt and Linux Support by Zeffie.com
A Sun Cobalt and Linux Support Specialist Since 1999
Sun Cobalt Support, Repairs, Development, and Maintenance.
Home of the Worlds Largest Collection of Sun Cobalt Updates!
Sun Cobalt Spam Filter, Security, Firewall, Anti Virus Products.
734-454-9117 US Toll Free 800-231-4459 UK 0208-150-6860

Zeffie's Sun Cobalt User Forums
Zeffie's Sun Cobalt Restore CD's Zeffie's Sun Cobalt Updates
Sun Cobalt Users List Sun Cobalt Security List Sun Cobalt Developers List

Click here to buy me a drink at the local pub!
(includes tip and paypal fees)

Copyright 2009 by Electronic Consultants Inc.