WebApp Sec mailing list archives
Re: htaccess with apache
From: Tim Greer <chatmaster () charter net>
Date: 11 Nov 2003 14:34:44 -0800
On Fri, 2003-11-07 at 06:12, António Vasconcelos wrote:
Tim Greer wrote:the traditional buffer overflow in malloc() and memcpy() or strcpy() shows just that.How is this relevant to the permissions on passwd?Just to show how easy is to do something that looks to be inocent and turns out to be a major security problem.
Pretty easy, assuming the person in question doesn't know about the subject. However, and alternatively, the same question applies when people make a big deal about something that isn't when they don't fully understand the implications of.
(unless your server isn't set up well), and save the resources since your server is secured properly. Oh well, to each their own, but I have to wonder when people make a big deal about something that's not.I'm not talking about good/bad server setup.
If you're saying access to view the passwd file is a huge risk you are.
It's just that the username/password authentication mecanism is a weak one, and I know that, if possible, users will use a bad or easy to guess password.
Then the problem exists anyway. I said myself that it doesn't hurt, but there's no way you can effectively run a web host with many users on it and hide all this trivial information and still have a lot of services (and security implementations) work well. If the user has a weak password, it's all over anyway for their account. You can protect your system, provided you know how, but you can not make people smarter and trying to hide such trivial things is not going to do any good. Those are the people that shouldn't have shell access anyway, and being that, the username in passwd will not need to be the same for their email or FTP anyway, so what risk does the system's yellow page file pose? Do you see what I mean about "how you set up your system and how secure it is"?
My experience tells me that about 10% of the users _do_ choose a pasword that can be retrived just from the username and GECOS fields, plus one or two digits.
Okay, so someone can likely know this from their CGI/PHP script, error codes/banners/messages, domain name, etc. anyway. And, what I said above still applies.
So, disclosing the /etc/passwd file is something that should not be done,
Yes it should.
and should not be regarded as trivial.
But, it is.
As it _may_ contain info valuable for someone that wants to break into your sistem.
Unlikely. And only valuable to access the person's account--your system has nothing to do with it if it's secure--either it is or not. You plan for user's to have their accounts accessed due to weak passwords or poor methods of storing them, and so on. If their script is insecure to allow any file to be viewed that the CGI/PHP process allows, then an attacker can easily find out what their username is ANYWAY! Why do you actually believe this is such a big deal?
You should not regard anithing as trivial just because you don't know how (or if) it can be used against you.
I agree, and since I do know, I can confidently say this is trivial. If you fail to understand the issues involved, that's not my fault. Conversely, the same logic applies to the other side of this debate--you shouldn't regard things as a major risk, just because you don't understand or know that they aren't. End if discussion, if you want me to provide an example on an account or via a vulnerable script, with the passwd having accessed, I'll be happy to do it to prove my point to you. In the meantime, maybe buy some books or something and learn about the topic you are so hotly debating. -- Tim Greer <chatmaster () charter net>
Current thread:
- Re: htaccess with apache, (continued)
- Re: htaccess with apache Tim Tompkins (Nov 04)
- Re: htaccess with apache Lucas Holt (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 05)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache António Vasconcelos (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 05)
- Re: htaccess with apache António Vasconcelos (Nov 06)
- Re: htaccess with apache Tim Greer (Nov 06)
- Re: htaccess with apache António Vasconcelos (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)
- RE: htaccess with apache Tim Greer (Nov 05)