Security Basics mailing list archives
RE: Directory Scanner
From: "Calderon, Juan Carlos \(GE, Corporate, consultant\)" <juan.calderon () ge com>
Date: Tue, 14 Feb 2012 09:09:45 -0500
Oops one last comment, If you implement option 2, do not show different error messages when file exist or when user cannot access it, show a generic "document is not available for you" or similar message. Otherwise, enumeration is still possible although you cannot have immediate access to the document at that moment. Regards, Juan C Calderon -----Original Message----- From: Calderon, Juan Carlos (GE, Corporate, consultant) Sent: Tuesday, February 14, 2012 8:07 AM To: 'htroup () acm org' Cc: security-basics () securityfocus com; webappsec () securityfocus com Subject: RE: Directory Scanner Darn, you are correct Henry, I guess I just read too fast. Refocusing the answer, There are 2 alternatives I would suggest 1. You can implement HTTP Digest/Challenge authentication (no BASIC authentication please, unless you have SSL) on the files directory 2. If you have forms authentication, Implement a proxy page (as suggested before) that will serve the actual document, save the file-user relationship on a DB AND move the documents to a non-Web (to prevent direct access) and non-system folder (to prevent privilege escalation). If each document needs to be served to a different user or a group of named users or a combination of both (they are private documents) then option 2 is easier to maintain in my experience. Regards, hope it helps Juan C Calderon -----Original Message----- From: Henry Troup [mailto:htroup () gmail com] On Behalf Of Henry Troup Sent: Monday, February 13, 2012 4:14 PM To: Calderon, Juan Carlos (GE, Corporate, consultant) Subject: Re: Directory Scanner I thought the point was that document_1 implied that someone might request _2 through _65535 and forcibly enumerate the documents. Henry Troup, Ottawa, Canada Sent from my BlackBerry 613-851-5095 htroup () acm org -----Original Message----- From: "Calderon, Juan Carlos \(GE, Corporate, consultant\)" <juan.calderon () ge com> Sender: listbounce () securityfocus com Date: Mon, 13 Feb 2012 09:45:49 To: Alexander Pick<acpi () mac com>; Thugzclub Thugzclub<thugzclub () googlemail com> Cc: <security-basics () securityfocus com>; <webappsec () securityfocus com> Subject: RE: Directory Scanner I understand authentication to these documents is not an issue what is an issue is directory listing. IIS prevents this by default so I assume you are using Apache, Tomcat or another server. So the best way to prevent this issue is to modify your .htaccess file to avoid listing files: Here is an example of how to use it http://www.javascriptkit.com/howto/htaccess11.shtml Regards, Juan C Calderon -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Alexander Pick Sent: Wednesday, February 08, 2012 3:11 AM To: Thugzclub Thugzclub Cc: security-basics () securityfocus com; webappsec () securityfocus com Subject: Re: Directory Scanner Another idea is to proxy your download URLs through a script and hide the real files outside the web root. If you do it in PHP it's pretty simple (header + read file + bit security). Just make sure to make the script secure in terms of directory transversal etc., many people hide their downloads for security and create even bigger holes with bad scripts. You can also add all sort of attack detection to it, like recording the hit count of an IP to it and auto locking the downloads after a certain amount. Hope this helps. greets, Alex
A question: Given a website URL like the below : http://www.companywebsite.com/resources/resources/whitepapers/document _1_wp.pdf http://www.companywebsite.com/resources/resources/whitepapers/document _arbinatryname__wp.pdf How can I protect somebody from enumerating the list of file on this "whitepapers" directory ? What tool can I use to make sure that I am adequately protected against this ? Cheers ---------------------------------------------------------------------- -- Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4 42f727d1 ---------------------------------------------------------------------- --
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus -------------------------------------- This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus -------------------------------------- ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- How to prevent Dos and DDoS,, (continued)
- How to prevent Dos and DDoS, Dinh Truong Quang (Feb 15)
- Re: How to prevent Dos and DDoS, Ivan .Heca (Feb 15)
- RE: How to prevent Dos and DDoS, Dave, Manish, R. - EIL (MUM) (Feb 15)
- Re: How to prevent Dos and DDoS, Steven (Feb 15)
- Re: How to prevent Dos and DDoS, NetRunner Zoner (Feb 15)
- Re: How to prevent Dos and DDoS, Quentin Chung@Programmer (Feb 16)
- Re: How to prevent Dos and DDoS, LIAD Mizrachi (Feb 16)
- Re: How to prevent Dos and DDoS, security () stealthnodes com (Feb 16)
- Re: How to prevent Dos and DDoS, Claudiu Hulea (Feb 16)
- Re: How to prevent Dos and DDoS, Teddy Quentin Chung (Feb 16)
- Message not available
- RE: Directory Scanner Calderon, Juan Carlos (GE, Corporate, consultant) (Feb 14)