[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] SMB Group Shares Vulnerable to Web Access
- Subject: Re: [cobalt-security] SMB Group Shares Vulnerable to Web Access
- From: Jeff Bilicki <jeffb@xxxxxxxxxx>
- Date: Fri, 24 Mar 2000 10:42:26 -0800
Hello,
Yes, a .htaccess file will solve this problem, it can make anyone
attempting to access the directory through the web provide a user name
and password. Also, having an index.html file with just,
<html><head></head><body></body></html>, will stop people from being
able to browse the directory tree.
Jeff-
Malcolm McLeary wrote:
>
> Guys,
>
> I've been poking around a Qube2 and I'm a bit concerned about the lack of
> security or how vulnerable the SMB shares are due to the web service.
>
> It may not be likely, but a web browser can gain read access to files in
> a group share (i.e /home/groups/groupname/) without having to supply a
> username and password if the name of a subdirectory is known or almost
> any file if index.html is not present as the web server returns the index
> for the directory.
>
> Am I missing something here?
>
> Is there a config option to change the behaviour of the web server such
> that it will NOT return an index when the default page (index.html) is
> not present?
>
> What is the scope of a .htaccess file? Does it control access to just
> the directory its in, or subdirectories as well?
>
> Is it possible to simply enble/disable web access to group directories on
> a case by case basis (e.g on for /home/groups/home/ and
> /home/groups/intranet/, off for all other groups)?
>
> Cheers, Malcolm
>
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
>
> Information Alchemy Pty Ltd
> ACN 089 239 305
> Canberra, Australia
>
> Malcolm McLeary Mobile: 0412 636 086
> Managing Director Email: mim@xxxxxxxxxx
>
> This message was sent using Claris Emailer 2.0v3 for Macintosh.
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security