[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] remove slash

Subject: Re: [cobalt-users] remove slash
From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
Date: Sat Jan 26 08:50:21 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> Date: Sat, 26 Jan 2002 11:14:30 +0000
> From: Revd leonard payne <vicarage@xxxxxxxxxxxxxx>

> All Eddys other suggestions seem downright dangerous to any
> blue washing machine owner. I use symlinks -  so comeone eddy
> ... elaborate .. and let the discussion roll

Symlinks can also be downright dangerous.  I hate to post "how to
crack in a nutshell" messages, but all of this is easily
available elsewhere...  I guess I'll elaborate:

To use symlinks, FollowSymLinks must be on.  If this directive is
applied to users' directories, they may use symlinks to bypass
path checking.

Let's say that users are allowed symlink-following permission.
Here's what happens:

I decide that I want to break into www.anothersite.tld's credit
card database.  This site is hosted on your server, and they're
using a .htaccess file to protect the www.anothersite.tld/admin
portion of their site.

I create a a symlink called "data.txt" in my web space that
points to "/their/path/admin/.htaccess".  I may now read their
.htaccess file.  By doing this, I learn where their hashed
passwords are stored (retrievable with another symlink), the
credentials to use for the access-checking database if they're
using mod_mysql authentication or similar, etc.

I gather their encrypted passwords and run a brute-force crack on
what I find.  Uhoh.  Big problems.  I now have elevated
permissions on their site.

The answer is to disallow symlinks or to check the owner of the
target file.  Both are available via Ap config options.  If done
properly (i.e., users cannot create symlinks to arbitrary files),
you're fine.

Whether or not everyone sufficiently restricts symlinks is
another question.  Taking the easy way out and enabling symlinks
sans owner checking for everyone is a disaster waiting to happen.


Eddy

Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--

Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.  Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.

Follow-Ups:
- Re: [cobalt-users] remove slash
  - From: Jeff Lasman

References:
- Re: [cobalt-users] remove slash
  - From: Revd leonard payne

Prev by Date: Re: [cobalt-users] OT: Domain Registration
Next by Date: [cobalt-users] SMTP from site on same server
Previous by thread: Re: [cobalt-users] remove slash
Next by thread: Re: [cobalt-users] remove slash

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index