WebApp Sec mailing list archives
Re: htaccess with apache
From: Tim Greer <chatmaster () charter net>
Date: 07 Nov 2003 08:39:49 -0800
On Fri, 2003-11-07 at 06:12, António Vasconcelos wrote:
Just to show how easy is to do something that looks to be inocent and turns out to be a major security problem.
That is another issue, it's not relevant. I'm not sure how aware of issues you are, but it would behoove you to not respond to me as if I do not know because you happen to disagree about this discussion and this file in particular.
(unless your server isn't set up well), and save the resources since your server is secured properly. Oh well, to each their own, but I have to wonder when people make a big deal about something that's not.I'm not talking about good/bad server setup. It's just that the username/password authentication mecanism is a weak one, and I know that, if possible, users will use a bad or easy to guess password.
Assuming you authenticate using this file by allowing shell access and don't chroot that service, sure. Like I said, there's plenty of ways to obtain that information anyway--and if a user uses an insecure password, someone's going to easily get access to their account anyway--there's no way to prevent that if you are allowing user's to set weak passwords. You can implement methods to not allow them to change their passwords to any that appear weak, but users like that will store it in an unsafe manner that would likely be easier for the attacker to obtain it anyway--so the main issue is to have a secure server where the person that compromises the stupid user's account, can't do anything.
My experience tells me that about 10% of the users _do_ choose a pasword that can be retrived just from the username and GECOS fields, plus one or two digits.
Well, there's more ways to get that information and too many programs/services rely on this file to run properly--you can only tweak it so much, so chroot the services they'd use and it's not going to hurt--but I just think you're making too big of a deal about it. Someone's easily going to be able to obtain that information anyway, and get into such a user's account anyway.
So, disclosing the /etc/passwd file is something that should not be done, and should not be regarded as trivial.
If you say so, but I don't agree.
As it _may_ contain info valuable for someone that wants to break into your sistem.
Or, you mean "another user's site", having nothing to do with the system (other than the discussion of a vulnerable CGI/PHP script being able to open the passwd file from a remote attack so a remote attacker could get clued in). That may be true, but that should be as far as an attacker can get on a secured system anyway. Yes, it's something you want to prevent, but there's no realistic way you can deny that information anyway, even in that medium--the remote attacker can obtain the information via many other files as well. Simply, don't have shell access and use a different user name that other services don't rely on the pass file to match beyond the uid, so it's safe and does it's job, and then chroot the other services, for only the user that said service runs off of. This makes the passwd file useless to an attacker.
You should not regard anithing as trivial just because you don't know how (or if) it can be used against you.
Yes, I do know how/if, and it is trivial. Just because I don't agree with you, doesn't mean that I'm not aware that certain information can be used--you're just making it sound like more of an issue than it is. Thus, I can easily respond with "Just because you don't know it's not a big deal, doesn't mean it's as big of a risk as you think it is--because you don't know". Give me a break. -- Tim Greer <chatmaster () charter net>
Current thread:
- Re: htaccess with apache, (continued)
- Re: htaccess with apache Lucas Holt (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 05)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache António Vasconcelos (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 05)
- Re: htaccess with apache António Vasconcelos (Nov 06)
- Re: htaccess with apache Tim Greer (Nov 06)
- Re: htaccess with apache António Vasconcelos (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)
- RE: htaccess with apache Tim Greer (Nov 05)
- RE: htaccess with apache Dinis Cruz (Nov 11)