From: Ray Cromwell <rjc@clark.net>
To: sameer@c2.org (sameer)
Message Hash: 0b53c40e0e45d73e9f3de7885c562d89c0853fc4021cfa2ef8a27f8fed157ac9
Message ID: <199509190734.DAA09824@clark.net>
Reply To: <199509190713.AAA01128@infinity.c2.org>
UTC Datetime: 1995-09-19 07:34:36 UTC
Raw Date: Tue, 19 Sep 95 00:34:36 PDT
From: Ray Cromwell <rjc@clark.net>
Date: Tue, 19 Sep 95 00:34:36 PDT
To: sameer@c2.org (sameer)
Subject: Re: NYT on Netscape Crack
In-Reply-To: <199509190713.AAA01128@infinity.c2.org>
Message-ID: <199509190734.DAA09824@clark.net>
MIME-Version: 1.0
Content-Type: text/plain
>
> >
> > I doubt this in the case of the browser. Atleast as far as the
> > parsing is concerned. There may be a buffer overflow for example,
>
> Buffer overflow seems like a much greater concern when dealing
> with a server. Particularly one which is supposedly "secure", and
> accessing "secured" documents. Even with the server running as
> 'nobody' if someone can implement buffer overflow to get access to
> documents they shouldn't then that would count as a pretty significant
> hack.
Right. Some other common ones are ".." and shell meta characters
in paths. Also, accessing files that you don't have permissions
to. Even if the server is perfect, the setup could be bad. For
instance, if you use CERN's Authentication scheme for protecting
URL hierarchies, do not put the passwd/group file within the
hierarchy. I've noticed this before on some servers, like
http://www.isp.com/company1/passwd contains the passwd file for the
http://www.isp.com/company1/ URL directory. Although it is convenient
to store the passwd file within the hierarchy it is protecting, care
must be taken to make it unreadable by normal HTTP requests. It's better
to put it in a configuration directory somewhere where no server
has access to. (I've seen this mistake plenty of times)
A barebone's web server is a pretty simple piece of a software compared
to a browser (or sendmail), so it should be possible to make them
much more secure.
-Ray
Return to September 1995
Return to “Thomas Grant Edwards <tedwards@Glue.umd.edu>”