Re: More security problems in Apache on Mac OS X

[Eric Bennett <emb22 () cornell edu>]

Jacques Distler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> [Originally posted to <http://www.macintouch.com/mosxreaderreports46.html>]
>
> We've already seen the security problems (or potential problems) in Apache
> on MacOSX associated to the case-insensitivity of HFS+. By exploiting the
> case-insensitivity of HFS+, an attacker can evade Apache's access controls.
>
> Using mod_hfs (which takes care of case-insensitivity in directory names)
> and using <FilesMatch> (with well-chosen regular expressions) instead of
> <Files> directives (to take care of case-insensitivity in filenames), we can
> "cure" the case-insensitivity problem and restore Apache's access controls.
>
> But there's another gotcha lurking.
>
> You typically don't want people to be able to obtain a list of files in your
> web directory. To allow them to obtain such a list, you explicitly have to
>
> 1) NOT have an index.html file in the directory
> 2) include an Options Indexes directive among the access controls for that
> directory
>
> Or you could just run MacOSX.
>
> The Finder creates an invisible file, ".DS_Store" in each directory which
> contains (among other binary gobledygook) a list of files in the directory.
>
> So, if you have EVER viewed a web directory in the Finder, an attacker can
> just retrieve
>
>   http://your.mac.com/some_directory/.dS_store
>
> to learn what files are in that directory.

Even worse, they may be able to get some of the contents of those files by
accessing:

http://your.mac.com/some_directory/.FBCIndex

which seems to be the Mac OS X find-by-content database, now stored at
subfolder levels as opposed to the root level of each filesystem as in Mac
OS 9.x.  If you indexed the directory while in Mac OS X, presumably the
contents of files readable only by you may have ended up inside the the
index file which is now readable by everybody.

> Of course, the real question is: why was this file created world-readable
> in the first place?

As I recall, the earlier discussions on Mac OS X/Apache security problems
revealed that there were discrepancies about when files are created
world-readable.  Some systems had files world readable and others did not. 
I don't remember what the cause of the difference was.  On my system, in my
~ directory, both .DS_Store and .FBCIndex are world-readable and also
world-writable.  But in some of my home directory's subdirectories they are
only readable and writable by me.  I am not sure why there is this
difference.


-- 
Eric Bennett ( ericb () pobox com ; http://www.pobox.com/~ericb )

A designer knows he has achieved perfection not when there is nothing left
to 
add, but when there is nothing left to take away. - Antoine de
Saint-Exup'ery