WebApp Sec mailing list archives
RE: Prevent security bypass
From: "Logan F.D. Greenlee" <lgreenlee () ciretose net>
Date: Tue, 4 Feb 2003 23:25:28 -0500
Chris, An easy way to accomplish this would be to add NTLM authentication to your existing login form. First, create a single directory in which your protected files reside. Turn off Anonymous access to the directory and it's children. Add a low privilege user to the machine that has as few rights as possible. On the file system add this user with read only access to the directory. All files and directories below the protected HTML root should inherit permissions from it's parent. Finally, modify your asp login form to add NTLM authentication to the login process. Authenticate each user as the low privileged NT user created earlier, in addition to your standard form/session user authentication. Obviously NT authentication should only take place if the user has a valid form based login. This should meet your needs for protecting your HTML files and ensuring that your web app users are not gaining undue rights on your web server(s). -Logan -----Original Message----- From: Chris Neil [mailto:Chris.Neil () abs-ltd com] Sent: Tuesday, February 04, 2003 12:00 PM To: 'webappsec () securityfocus com' Subject: Prevent security bypass I am new to this mailing list and so hope this conforms to the guidelines as I read them. How do people address the issue of non-authenticated users requesting html pages directly from a site without logging in? FYI. This is an IIS server. Our asp pages check the user is logged in, but with html pages we cannot. My only idea so far is to convert all our html pages to asp. Is there anything less drastic? Chris Neil Security Officer Chris.Neil () abs-ltd com ------------------------------------------- ABS Tel: +44 (0) 1993 771221 Fax: +44 (0) 1993 775081 -------------------------------------------
Current thread:
- Re: Prevent security bypass, (continued)
- Re: Prevent security bypass c3rb3r (Feb 04)
- Re: Prevent security bypass Adrian Wiesmann (Feb 04)
- Re: Prevent security bypass sunzi (Feb 07)
- Re: Prevent security bypass Ernie Nelson (Feb 07)
- HTTP Header and POST Data Exploitation Rahul Chander Kashyap (Feb 08)
- RE: HTTP Header and POST Data Exploitation Indian Tiger (Feb 09)
- Re: Prevent security bypass Ernie Nelson (Feb 07)
- Re: Prevent security bypass Ken Rachynski (Feb 04)
- RE: Prevent security bypass David Cameron (Feb 04)
- RE: Prevent security bypass Vinny Bedus (Feb 05)
- Re: Prevent security bypass Chris Travers (Feb 05)
- RE: Prevent security bypass Vinny Bedus (Feb 05)
- RE: Prevent security bypass Logan F.D. Greenlee (Feb 05)
- RE: Prevent security bypass Kim Christiansen (Feb 05)
- RE: Prevent security bypass Mark Mcdonald (Feb 05)
- Re[2]: Prevent security bypass M. Austin Hill (Feb 05)
- RE: Prevent security bypass TUER, DON (Feb 06)
- Re: Prevent security bypass Alex Russell (Feb 06)
- Re: Prevent security bypass Adrian Wiesmann (Feb 06)
- Re: Prevent security bypass Chris Travers (Feb 07)