Sorry for re-taking this thread... but I don't get to reach the right
solution... What I'd like to solve is the security problem stated below,
which could be exploited with something like:
https://XXX/stats/USER2/stats/http/YYYY
Since I'm comparing against:
!^/clientes/[^/]+/stats/http/
This would result in request not being rewritten at all, so authentication
would be easily bypassed with any existing user [user1, user2, user3, ...]
(when the desired behaviour should be only letting pass the one where "auth
user" == "user in url"). How could I enforce that?
Perhaps there's another (secure) way to mark the request as "rewritten", so
I could check later without the need to compare against
"!^/clientes/[^/]+/stats/http/".
Please, help! :-(
Cheers,
-r
Roman Medina-Heigl Hernandez escribió:
> Hello,
>
> I have a *partial*-working solution which I'd like to share with you. It's
> tricky (based on my own home structure) and limited, though. Feedback is
> appreciated, please!
>
> Some comments:
> - Debian 5.0 includes ajp 1.2.12, so I cannot get the url/dir from another
> column in users' table (this functionality is for ajp 1.3+). In my case, I
> can live without it, having the following convention: username will be a
> domainname (which has sense, since I want to offer stats pages for
> different domains). For instance, stats for domain "test.com" will use the
> username "test.com".
> - I've only experimented with per-dir rewrite (the non-recommended way...),
> which has the limitation of request reinjection (so you must include
> negative rewrite rules which protect you against loops). Perhaps it may be
> improved with server rewrite.
> - The current method is not secure: an attacker knowing the internal
> homedir structure could easily craft a request bypassing the rewrite
> ruleset, being able to access other domain/user's stats. It could also be
> used to access other directories/files of other users (in my case those
> dirs are protected using OS permissions).
> - Performance is not very efficient, since I'm reinjecting requests (it
> seems unavoidable if using per-dir rewrite).
> - Stats home for domain "test.com" will be:
> /clientes/test.com/stats/http/
> which should be accessed through:
> http://isp/stats/
>
>
> Current config is:
> ====
>
> Alias /stats /clientes
>
> <Location /stats/>
> # Basic Auth
> AuthType Basic
> AuthName "Stats"
> AuthBasicProvider dbd
>
> Require valid-user
> AuthDBDUserPWQuery "SELECT pass FROM stats WHERE user = %s
> and enabled = 1"
>
> # Rewrite para que cada user entre a su directorio de stats
> particular
> RewriteEngine on
> RewriteBase /stats
> RewriteRule !^/clientes/[^/]+/stats/http/ - [C]
> RewriteRule ^/clientes/(.*)
> /stats/%{REMOTE_USER}/stats/http/$1 [PT]
>
> ====
>
> More comments:
> - at the beginning I tried something like:
> RewriteBase /stats
> RewriteCond $1 !^%{REMOTE_USER}/
> RewriteRule ^/clientes/(.*)
> /stats/%{REMOTE_USER}/stats/http/$1 [PT]
>
> The problem is that you cannot have %{REMOTE_USER} as 2nd parameters in
> RewriteCond, so I have no way for comparing it with $1 (which coudn't be in
> 2nd parameter, either). Any idea to implement it? (i.e. test if REMOTE_USER
> string is included in URI path).
>
> Cheers,
> -Roman
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|