www: security in unlinked directories

Discussion in 'Computer Security' started by Henning Meyer, Jul 8, 2003.

  1. Hello *,

    I've set up an apache server and this server needs to generate secure
    dynamic content. In order to protect it from remote access the server
    renders the content and stores it in newly created dirctory consisting
    of 10 random characters. Only the right users get the complete link to
    this directory.
    How easy is it to find this dir? It will stay only for aprox 2 hours
    before being deleted. Is there a real change to find it?
    (26+26+10)^10=839299365868340224 that to much for brute-force, isn't it?
    Or are there other ways to find the dir?

    any hints very welcome...


    thanks
    Henning
     
    Henning Meyer, Jul 8, 2003
    #1
    1. Advertisements

  2. Of course there is always the possibility of hidden bugs somewhere. If
    I remember correctly somewhen around Apache 1.3.19 there was a bug
    which revealed the contents of a directory - i.e. what you don't want.
    Of course _this_ bug is fixed now.. - but who knows when the next will
    be found?
    j.
     
    johannes m.r., Jul 8, 2003
    #2
    1. Advertisements

  3. So long as you configure the server & code the contents of your website
    well, there should be no way for them to see the folder.

    As for the brute forceability, pretty slim chance. First off think who your
    potential hackers are. Are they going to know that the format of your
    directory structure to even be able to start a brute force attack? If not
    it's pretty safe anyway. Are you expecting someone to leak this information?
    If so then it isn't safe anyway, but at least they will only be able to
    access it for two hours. If you really suspect someone will try to brute
    force it, you could always ban IP addresses that make too many failed
    requests.

    There really are much better ways to restrict access to information on a
    webserver. The only reason I can think you would choose this way over (or as
    well as) standard password protection would be to time limit access to
    authorised users. But these people have access for two hours? Isn't that
    long enough to do whatever it is you seem concerned to secure them against?

    I'd be interested to hear what kind of application you would find this
    useful for, if it's not too sensitive.

    Richard.
     
    Richard Antony Burton, Jul 8, 2003
    #3
  4. Henning Meyer

    mto Guest

    If you can access it from the web a determined - or maybe not so
    determined - hacker can too. Password protection be danged.

    The single most common way I have seen for folks to access stuff they aren't
    supposed to be able to see on Apache servers is that the folks in charge
    forget to put a nice blank html page named index.htm inside every single
    folder. If you don't do that then someone needs only know the name of the
    folder - or make a good guess - to get a complete list of every file in the
    folder.

    There are some very neat tricks you can use with Apache though. Read up on
    htaccess - there are a couple of good tutorials online as well as tons of
    info at Apache.
     
    mto, Jul 13, 2003
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.