DevShed: Web Security Overview Part II

[ Thanks to Randy
Cosby for this link. ]

“The second large class of errors we are going to address in
this article deals with private data in public directories on a
server. Many webspace providers offer just that: Web-Space. Their
hosting solutions map the root of your ftp directory onto the root
of your server. That is, the server directory
“/home/www/servers/www.customer.com/” is visible for the customer
via ftp as “/”. It is also readable for everyone through the URL
http://www.customer.com/”. Should the customers web application
have the need to keep some files private and inaccessible from the
web, there is no such location. A file stored via ftp as
“/password” will be available through the URL
“http://www.customer.com/password.”

“Many webshops write order logs or debugging output into one
or multiple logfiles or have configuration files with passwords and
article data. If this data is being stored below the document root,
it will have an URL and is by default accessible via the web. All
an attacker has to do is to guess the filenames of these
files. This is quite easy if you know the defaults used by the
20 most popular shopping solutions and know how to identify the
software used.”

“This problem does no occur with hosting solutions which were
designed to provide private data storage as well as public page
directories. In such solutions the ftp root directory “/” is mapped
onto “/home/www/servers/www.customer.com/”, but the servers
document root is located one level futher down at
“/home/www/servers/www.customer.com/pages”, accessible via ftp as
“/pages”. In such a setup the customer can create additional
directories above and in parallel to the document root and store
sensitive data there. Because these directories are available
through ftp, but not through http, they cannot be accessed via the
web.”

Complete
Story