From: jhb @
mil (John Balch)
Subject: Web Server Security
I've seen items about security holes in Web servers on this list and
elsewhere, but I need detailed information on a particular point.
Is it possible to break into a server that only carries HTML documents
through links to those documents on a Home Page on another server?
| Firewall, Server 'A' HT link Server 'B'
Internet |----- router ----- with Home --------- with
| Page HTML docs
In other words, is Server 'B' protected by firewalled Server 'A' because
Server 'B' doesn't have a home page, or does that not make any difference?
Well the problem with this, unless more recent revs of Mosaic and Netscape and
etc. have changed things, is that in order to get to Server B's HTML docs
one of 2 things have to be happening.
1) Server B's documents have to be exported to Server A (ala NFS etc.).
2) Server B is running httpd to allow other machines to acess the web documents.
Solution 1 has all of the inherent problems of exporting files. Solution
2 essentially makes server B a web server too, although
a slightly behind the scenes one. You can block all services except
document retrieval on server B (eg. no cgi-scripts), but httpd is still
running so the weakness still exists.
A "Home Page" is really just an HTML document. There is usually
a default html document that your httpd gives to users when
someone calls up http:/www.yourserver.com, but a "home page" is not
intrinsicly different than any other html doc.