1995-09-19 - Re: NYT on Netscape Crack
Header Data
From: Ray Cromwell <rjc@clark.net>
To: sameer@c2.org (sameer)
Message Hash: 0b53c40e0e45d73e9f3de7885c562d89c0853fc4021cfa2ef8a27f8fed157ac9
Message ID: <199509190734.DAA09824@clark.net>
Reply To: <199509190713.AAA01128@infinity.c2.org>
UTC Datetime: 1995-09-19 07:34:36 UTC
Raw Date: Tue, 19 Sep 95 00:34:36 PDT
Raw message
From: Ray Cromwell <rjc@clark.net>
Date: Tue, 19 Sep 95 00:34:36 PDT
To: sameer@c2.org (sameer)
Subject: Re: NYT on Netscape Crack
In-Reply-To: <199509190713.AAA01128@infinity.c2.org>
Message-ID: <199509190734.DAA09824@clark.net>
MIME-Version: 1.0
Content-Type: text/plain
>
> >
> > I doubt this in the case of the browser. Atleast as far as the
> > parsing is concerned. There may be a buffer overflow for example,
>
> Buffer overflow seems like a much greater concern when dealing
> with a server. Particularly one which is supposedly "secure", and
> accessing "secured" documents. Even with the server running as
> 'nobody' if someone can implement buffer overflow to get access to
> documents they shouldn't then that would count as a pretty significant
> hack.
Right. Some other common ones are ".." and shell meta characters
in paths. Also, accessing files that you don't have permissions
to. Even if the server is perfect, the setup could be bad. For
instance, if you use CERN's Authentication scheme for protecting
URL hierarchies, do not put the passwd/group file within the
hierarchy. I've noticed this before on some servers, like
http://www.isp.com/company1/passwd contains the passwd file for the
http://www.isp.com/company1/ URL directory. Although it is convenient
to store the passwd file within the hierarchy it is protecting, care
must be taken to make it unreadable by normal HTTP requests. It's better
to put it in a configuration directory somewhere where no server
has access to. (I've seen this mistake plenty of times)
A barebone's web server is a pretty simple piece of a software compared
to a browser (or sendmail), so it should be possible to make them
much more secure.
-Ray
Thread
Return to September 1995
- Return to “Adam Shostack <adam@homeport.org>”
- Return to “Black Unicorn <unicorn@polaris.mindport.net>”
- Return to “Eli Brandt <eli@UX3.SP.CS.CMU.EDU>”
- Return to “Eric Young <eay@mincom.oz.au>”
- Return to “hallam@w3.org”
- Return to “John Young <jya@pipeline.com>”
- Return to “jsw@neon.netscape.com (Jeff Weinstein)”
- Return to “m5@dev.tivoli.com (Mike McNally)”
- Return to ““Perry E. Metzger” <perry@piermont.com>”
- Return to “Ray Cromwell <rjc@clark.net>”
- Return to “sameer <sameer@c2.org>”
- Return to “shields@tembel.org (Michael Shields)”
Return to “Thomas Grant Edwards <tedwards@Glue.umd.edu>”
- 1995-09-19 (Mon, 18 Sep 95 20:35:19 PDT) - NYT on Netscape Crack - John Young <jya@pipeline.com>
- 1995-09-19 (Mon, 18 Sep 95 20:55:59 PDT) - Re: NYT on Netscape Crack - “Perry E. Metzger” <perry@piermont.com>
- 1995-09-19 (Mon, 18 Sep 95 21:20:38 PDT) - Re: NYT on Netscape Crack - Black Unicorn <unicorn@polaris.mindport.net>
- 1995-09-19 (Mon, 18 Sep 95 21:28:11 PDT) - Re: NYT on Netscape Crack - “Perry E. Metzger” <perry@piermont.com>
- 1995-09-19 (Mon, 18 Sep 95 21:28:51 PDT) - Re: NYT on Netscape Crack - “Perry E. Metzger” <perry@piermont.com>
- 1995-09-19 (Mon, 18 Sep 95 22:02:45 PDT) - Re: NYT on Netscape Crack - sameer <sameer@c2.org>
- 1995-09-19 (Tue, 19 Sep 95 00:03:38 PDT) - Re: NYT on Netscape Crack - Ray Cromwell <rjc@clark.net>
- 1995-09-19 (Tue, 19 Sep 95 00:18:35 PDT) - Re: NYT on Netscape Crack - sameer <sameer@c2.org>
- 1995-09-19 (Tue, 19 Sep 95 00:34:36 PDT) - Re: NYT on Netscape Crack - Ray Cromwell <rjc@clark.net>
- 1995-09-19 (Tue, 19 Sep 95 00:53:18 PDT) - Re: NYT on Netscape Crack - sameer <sameer@c2.org>
- 1995-09-20 (Tue, 19 Sep 95 23:49:33 PDT) - Re: NYT on Netscape Crack - shields@tembel.org (Michael Shields)
- 1995-09-19 (Tue, 19 Sep 95 00:53:18 PDT) - Re: NYT on Netscape Crack - sameer <sameer@c2.org>
- 1995-09-19 (Tue, 19 Sep 95 06:49:50 PDT) - Re: NYT on Netscape Crack - Adam Shostack <adam@homeport.org>
- 1995-09-19 (Tue, 19 Sep 95 07:00:23 PDT) - Re: NYT on Netscape Crack - sameer <sameer@c2.org>
- 1995-09-19 (Tue, 19 Sep 95 00:34:36 PDT) - Re: NYT on Netscape Crack - Ray Cromwell <rjc@clark.net>
- 1995-09-19 (Tue, 19 Sep 95 08:49:43 PDT) - Re: NYT on Netscape Crack - hallam@w3.org
- 1995-09-19 (Tue, 19 Sep 95 00:18:35 PDT) - Re: NYT on Netscape Crack - sameer <sameer@c2.org>
- 1995-09-19 (Tue, 19 Sep 95 12:38:35 PDT) - Re: NYT on Netscape Crack - Thomas Grant Edwards <tedwards@Glue.umd.edu>
- 1995-09-19 (Mon, 18 Sep 95 21:20:38 PDT) - Re: NYT on Netscape Crack - Black Unicorn <unicorn@polaris.mindport.net>
- 1995-09-19 (Mon, 18 Sep 95 21:15:19 PDT) - Re: NYT on Netscape Crack - Black Unicorn <unicorn@polaris.mindport.net>
- 1995-09-19 (Tue, 19 Sep 95 01:14:28 PDT) - Re: NYT on Netscape Crack - jsw@neon.netscape.com (Jeff Weinstein)
- 1995-09-19 (Tue, 19 Sep 95 03:16:22 PDT) - Re: NYT on Netscape Crack - Eric Young <eay@mincom.oz.au>
- 1995-09-19 (Tue, 19 Sep 95 05:40:36 PDT) - Re: NYT on Netscape Crack - m5@dev.tivoli.com (Mike McNally)
- 1995-09-20 (Tue, 19 Sep 95 20:26:45 PDT) - Re: NYT on Netscape Crack - “Perry E. Metzger” <perry@piermont.com>
- 1995-09-20 (Tue, 19 Sep 95 21:05:58 PDT) - Re: NYT on Netscape Crack - Ray Cromwell <rjc@clark.net>
- 1995-09-20 (Wed, 20 Sep 95 07:05:47 PDT) - Re: NYT on Netscape Crack - “Perry E. Metzger” <perry@piermont.com>
- 1995-09-20 (Tue, 19 Sep 95 21:05:58 PDT) - Re: NYT on Netscape Crack - Ray Cromwell <rjc@clark.net>
- 1995-09-19 (Tue, 19 Sep 95 07:38:57 PDT) - Re: NYT on Netscape Crack - Eli Brandt <eli@UX3.SP.CS.CMU.EDU>
- 1995-09-19 (Tue, 19 Sep 95 13:09:56 PDT) - Re: NYT on Netscape Crack - Thomas Grant Edwards <tedwards@Glue.umd.edu>
- 1995-09-19 (Mon, 18 Sep 95 20:55:59 PDT) - Re: NYT on Netscape Crack - “Perry E. Metzger” <perry@piermont.com>