Re: ncsa security problems

• To: www-security@ns2.rutgers.edu
• Subject: Re: ncsa security problems
• From: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
• Date: Fri, 14 Apr 1995 13:46:25 +0100 (BST)
• In-Reply-To: <199504131625.JAA18282@kitty.oester.com> from "Gintaras Richard Gircys" at Apr 13, 95 09:25:56 am

> there have been quite a few security issue posting on ncsa recently, enough
> to make me think about switching to the cern server (especially since the
> ncsa people seem somewhat refractory about fixes, etc.).
> 
> has anyone looked at the cern code? is it better? to date, seems to me that
> ncsa is by far the leader over cern in problems.

Hello,

  I have not looked at the code itself, but I have been commisioned by the
powers that be here to try and set up the CERN server to distribute local
senate papers to people in our local domain.

The CERN server itself seemed pretty secure. However, we exposed one hole
in the security paradigm (not the code). CERN, unlike NCSA, works on an
"include only" access method. That is, it allows you to say which
sites/domains can access a file, but not which cannot.

This is NOT a real problem i you can trust ALL hosts in a certain doamin,
but we have queries about one or two hosts in our local domain. This
causes a problem with the CERN server, as to allow all hosts but one
within a domain to access certain files means you have to validate each
host individually (a nightmare for server administration).

I circumvented the problem using a cgi-bin program (written in C... I'm
sorry!), which does a basic look up on the client's IP address, and
validates the client from there.

This may or may not be a problem in your domain, but I thought I'd bring
it to your attention.

Steff

• ncsa security problems
• From: "Gintaras Richard Gircys (GG148)" <rich@oester.com>

• Previous: re:ncsa security problems
• Next: re:ncsa security problems
• Index(es):
  • Index
  • Thread