PyAuthenNTLM2 appears to incorrectly allow access to parallel directory that should be restricted #25
Comments
|
Further to this, it seems that access to the unauthorised directory is allowed if the user switches from accessing a directory for which they have been authorised to another (which they should not be allowed to see) within the KeepAlive timeout period. In other words it appears that once a TCP connection has been authorised to access one directory it is treated as being authorised to access all directories. In reality, although the connection can be treated as still being authenticated, the authorisation should be rechecked with each request. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have two parallel directories configured with access control (config below). In a web browser (IE11) as user 'aaa' I try to access a text file in testgroups2. I correctly get a 403 error. I then access a text file in directory testgroups, and correctly receive this. If I then rapidly hit the back button on the browser I can access the previously denied text file in testgroups2.
<Directory "/var/www/html/testgroups">
AuthType NTLM
AuthName XXX.COM
require user aaa, bbb
require valid-user
PythonAuthenHandler pyntlm
PythonOption Domain XXXX.COM
PythonOption PDC ldap://xxx-dc-01/DC=xxx,DC=com
PythonOption BDC ldap://xxx-dc-02/DC=xxx,DC=com
</Directory>
<Directory "/var/www/html/testgroups2">
AuthType NTLM
AuthName XXX.COM
require user ccc
require valid-user
PythonAuthenHandler pyntlm
PythonOption Domain XXXX.COM
PythonOption PDC ldap://xxx-dc-01/DC=xxx,DC=com
PythonOption BDC ldap://xxx-dc-02/DC=xxx,DC=com
</Directory>
The text was updated successfully, but these errors were encountered: