httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roman Medina-Heigl Hernandez <ro...@rs-labs.com>
Subject Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based on path value stored in mysql table
Date Mon, 11 May 2009 13:28:37 GMT
Sorry for re-taking this thread... but I don't get to reach the right
solution... What I'd like to solve is the security problem stated below,
which could be exploited with something like:
https://XXX/stats/USER2/stats/http/YYYY

Since I'm comparing against:
!^/clientes/[^/]+/stats/http/
This would result in request not being rewritten at all, so authentication
would be easily bypassed with any existing user [user1, user2, user3, ...]
(when the desired behaviour should be only letting pass the one where "auth
user" == "user in url"). How could I enforce that?

Perhaps there's another (secure) way to mark the request as "rewritten", so
I could check later without the need to compare against
"!^/clientes/[^/]+/stats/http/".

Please, help! :-(

Cheers,
-r


Roman Medina-Heigl Hernandez escribió:
> Hello,
> 
> I have a *partial*-working solution which I'd like to share with you. It's
> tricky (based on my own home structure) and limited, though. Feedback is
> appreciated, please!
> 
> Some comments:
> - Debian 5.0 includes ajp 1.2.12, so I cannot get the url/dir from another
> column in users' table (this functionality is for ajp 1.3+). In my case, I
> can live without it, having the following convention: username will be a
> domainname (which has sense, since I want to offer stats pages for
> different domains). For instance, stats for domain "test.com" will use the
> username "test.com".
> - I've only experimented with per-dir rewrite (the non-recommended way...),
> which has the limitation of request reinjection (so you must include
> negative rewrite rules which protect you against loops). Perhaps it may be
> improved with server rewrite.
> - The current method is not secure: an attacker knowing the internal
> homedir structure could easily craft a request bypassing the rewrite
> ruleset, being able to access other domain/user's stats. It could also be
> used to access other directories/files of other users (in my case those
> dirs are protected using OS permissions).
> - Performance is not very efficient, since I'm reinjecting requests (it
> seems unavoidable if using per-dir rewrite).
> - Stats home for domain "test.com" will be:
> /clientes/test.com/stats/http/
> which should be accessed through:
> http://isp/stats/
> 
> 
> Current config is:
> ====
> 
>         Alias /stats /clientes
> 
>         <Location /stats/>
>                 # Basic Auth
>                 AuthType Basic
>                 AuthName "Stats"
>                 AuthBasicProvider dbd
> 
>                 Require valid-user
>                 AuthDBDUserPWQuery "SELECT pass FROM stats WHERE user = %s
> and enabled = 1"
> 
>                 # Rewrite para que cada user entre a su directorio de stats
> particular
>                 RewriteEngine on
>                 RewriteBase /stats
>                 RewriteRule !^/clientes/[^/]+/stats/http/ - [C]
>                 RewriteRule ^/clientes/(.*)
> /stats/%{REMOTE_USER}/stats/http/$1 [PT]
> 
> ====
> 
> More comments:
> - at the beginning I tried something like:
>                RewriteBase /stats
>                RewriteCond $1 !^%{REMOTE_USER}/
>                RewriteRule ^/clientes/(.*)
> /stats/%{REMOTE_USER}/stats/http/$1 [PT]
> 
> The problem is that you cannot have %{REMOTE_USER} as 2nd parameters in
> RewriteCond, so I have no way for comparing it with $1 (which coudn't be in
> 2nd parameter, either). Any idea to implement it? (i.e. test if REMOTE_USER
> string is included in URI path).
> 
> Cheers,
> -Roman
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message