[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] SMB Group Shares Vulnerable to Web Access

Thanks Jeff.

This works for me, I also replaced the default index.html pages with one 
which does a redirection to /home/groups/home/ in the situations where I 
don't want an "index".  The file permissions also needed to be altered so 
users can't "accidentally" delete index.html.

This does raise an issue ... shouldn't this all be done the other way 
around?  Shouldn't the default be that group authentication is required 
for the group root (i.e. there should be be a "public" subdirectory 
instead of a "private" subdirectory)?

I believe these access restrictions are inconsistent ... the default for 
an SMB group share is group authentication ... shouldn't web access be 
the same directory also require group authentication?

I guess the situation is exactly the same in users home directories.

Cheers,  Malcolm

On 25/3/00 5:42 AM, Jeff Bilicki <jeffb@xxxxxxxxxx> wrote:

>    Yes, a .htaccess file will solve this problem, it can make anyone
>attempting to access the directory through the web provide a user name
>and password.   Also, having an index.html file with just,
><html><head></head><body></body></html>, will stop people from being
>able to browse the directory tree. 
>Malcolm McLeary wrote:
>> Guys,
>> I've been poking around a Qube2 and I'm a bit concerned about the lack of
>> security or how vulnerable the SMB shares are due to the web service.
>> It may not be likely, but a web browser can gain read access to files in
>> a group share (i.e /home/groups/groupname/) without having to supply a
>> username and password if the name of a subdirectory is known or almost
>> any file if index.html is not present as the web server returns the index
>> for the directory.
>> Am I missing something here?
>> Is there a config option to change the behaviour of the web server such
>> that it will NOT return an index when the default page (index.html) is
>> not present?
>> What is the scope of a .htaccess file?  Does it control access to just
>> the directory its in, or subdirectories as well?
>> Is it possible to simply enble/disable web access to group directories on
>> a case by case basis (e.g on for /home/groups/home/ and
>> /home/groups/intranet/, off for all other groups)?
>> Cheers,  Malcolm

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                       Information Alchemy Pty Ltd
                             ACN 089 239 305
                           Canberra, Australia

Malcolm McLeary                                  Mobile:   0412 636 086
Managing Director                                Email:  mim@xxxxxxxxxx

     This message was sent using Claris Emailer 2.0v3 for Macintosh.