1995-09-19 - Re: Fundamental Netscape hack

Header Data

From: “Henry W. Farkas” <hfarkas@ims.advantis.com>
To: Bill Stewart <stewarts@ix.netcom.com>
Message Hash: 2372c792b6b773a359cb974835bd7eecf326ae316fa1599e04986db367f342b1
Message ID: <Pine.A32.3.91.950919105737.45409A-100000@pangloss.ims.advantis.com>
Reply To: <199509190954.CAA24686@ix.ix.netcom.com>
UTC Datetime: 1995-09-19 15:53:18 UTC
Raw Date: Tue, 19 Sep 95 08:53:18 PDT

Raw message

From: "Henry W. Farkas" <hfarkas@ims.advantis.com>
Date: Tue, 19 Sep 95 08:53:18 PDT
To: Bill Stewart <stewarts@ix.netcom.com>
Subject: Re: Fundamental Netscape hack
In-Reply-To: <199509190954.CAA24686@ix.ix.netcom.com>
Message-ID: <Pine.A32.3.91.950919105737.45409A-100000@pangloss.ims.advantis.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 19 Sep 1995, Bill Stewart wrote:

> Of course, one of the most serious security problems with Netscape servers
> is that they run on machines sitting out there on the Internet where
> anybody who can browse their services can attack them - that 128-bit
> bullet-proof iron-clad front door isn't much help if the garage door is
> unlocked because of some sendmail bug.  

Or- even easier yet- improper httpd installation or users who have not
been properly trained.  NCSA's default configuration file makes document
root a subtree.  One major institution I deal with regularly (and the
administrators should know better) changed the default setting, allowing
users to store html files in their home directory.  And, it seems, the
file permissions were too lax.  If a user had no index.html then I could
just cruise through their home directory, view most files and, in some
(inappropriate) cases, download them.  I told the administrator, and
mailed him a copy of a user's address book (she was a friend and knew what
I was doing before I did it).  The situation has changed and is now more
secure.  But I wonder how many other institutions have an inappropriate 
DocumentRoot so (I guess) users can have a "single home directory"?

===========================================================================
     Henry W. Farkas      |      Me?    Speak for IBM?    Fat chance.
 hfarkas@ims.advantis.com |------------------------------------------------  
   hfarkas@vnet.ibm.com   |     http://newstand.ims.advantis.com/henry
      henry@nhcc.com      |          http://www.nhcc.com/~henry 
- ---------------------------------------------------------------------------
PGP 6.2.2 Key fingerprint: AA D0 F5 44 C1 8C 11 52  B3 80 34 1C CE 38 EC 53
 Public key at: pgp-public-keys@pgp.mit.edu, and other popular key servers.
- ---------------------------------------------------------------------------
Brought to you by Henry's Hardware: Home of the Pretty Good Hack "We're not
  fast, but it's not bad, and we're cheaper than the guy down the street!"
===========================================================================


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Auto-signed with Bryce's Auto-PGP v1.0beta

iQCVAwUBMF7nGKDthkLkvrK9AQEIbwQAl7k86Tk4gY/KU9JYS4lyI63fH4lJYTHw
+Pl85cx3M/RI/kO8N9ZaUih4Hh+8CnNl7xA6NWtURfcSuCCgW3mrdRbKT8KTW/3M
hohmv3yyyU2Ot24B4hb2/lZN5s/fR2JMdsWhKoZdm19xnlQIMBjidP6zxcavE/JC
GNbJm94mBIA=
=L0lD
-----END PGP SIGNATURE-----





Thread