You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Greg Stein <gs...@lyra.org> on 2001/04/04 10:43:25 UTC
Re: Minor security issue in httpd.conf - .your_domain.com
This is not a security issue. security@apache.org is for reporting security
defects in ASF software. Configuration issues do not count.
However, this does point to a basic problem in our .conf file. We should be
using the example.com domain throughout our .conf and documentation files.
That domain exists solely to be used in RFCs, docs, etc for examples... no
hosts will resolve.
(it is registered to the IANA in perpetuity, for this situation)
Cheers,
-g
On Thu, Apr 05, 2001 at 01:29:06AM -0700, Gary Bickford wrote:
> Folks,
>
> I was just fixing up a new copy of Apache, and when I was editing the
> /server-info feature, I forgot to fix the domain name in this section:
>
> <Location /server-info>
> SetHandler server-info
> Order deny,allow
> Deny from all
> Allow from .your_domain.com
> </Location>
>
> Of course, the Allow from line should read something like this:
> Allow from 127.0.0.1
> But I was in a hurry and just uncommented these lines out. I didn't change
> the domain name until I noticed that I couldn't get to the server-info page.
> If I hadn't done this check, I might not have noticed this.
>
> I looked on the net, and sure enough there is an existing web site at
> www.your_domain.com. This means that anyone who is behind that doman name
> could see the server info for my web server. This could well be a common
> oversight for both newbies and folks who've done the Apache install one too
> many times.
>
> I suggest that you change your_domain.com to something safer such as
> 127.0.0.1, or something that is put in during configuration, or to some
> impossible domain name.
>
> It may be that all the folks at your_domain.com are both wonderful and
> unknowing about this, but I'd rather not test that hypothesis even though
> this isn't a very big security problem in any case.
>
> Thanks for a great product!
> Gary Bickford
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: security-unsubscribe@apache.org
> For additional commands, e-mail: security-help@apache.org
--
Greg Stein, http://www.lyra.org/
Re: Minor security issue in httpd.conf - .your_domain.com
Posted by Ben Laurie <be...@algroup.co.uk>.
Greg Stein wrote:
>
> This is not a security issue. security@apache.org is for reporting security
> defects in ASF software. Configuration issues do not count.
>
> However, this does point to a basic problem in our .conf file. We should be
> using the example.com domain throughout our .conf and documentation files.
> That domain exists solely to be used in RFCs, docs, etc for examples... no
> hosts will resolve.
>
> (it is registered to the IANA in perpetuity, for this situation)
Actually, IMO, you should use an illegal name (which we did, so I'm
puzzled - your_domain.com doesn't [and, in theory, can't] resolve, but
your-domain.com does...).
Cheers,
Ben.
>
> Cheers,
> -g
>
> On Thu, Apr 05, 2001 at 01:29:06AM -0700, Gary Bickford wrote:
> > Folks,
> >
> > I was just fixing up a new copy of Apache, and when I was editing the
> > /server-info feature, I forgot to fix the domain name in this section:
> >
> > <Location /server-info>
> > SetHandler server-info
> > Order deny,allow
> > Deny from all
> > Allow from .your_domain.com
> > </Location>
> >
> > Of course, the Allow from line should read something like this:
> > Allow from 127.0.0.1
> > But I was in a hurry and just uncommented these lines out. I didn't change
> > the domain name until I noticed that I couldn't get to the server-info page.
> > If I hadn't done this check, I might not have noticed this.
> >
> > I looked on the net, and sure enough there is an existing web site at
> > www.your_domain.com. This means that anyone who is behind that doman name
> > could see the server info for my web server. This could well be a common
> > oversight for both newbies and folks who've done the Apache install one too
> > many times.
> >
> > I suggest that you change your_domain.com to something safer such as
> > 127.0.0.1, or something that is put in during configuration, or to some
> > impossible domain name.
> >
> > It may be that all the folks at your_domain.com are both wonderful and
> > unknowing about this, but I'd rather not test that hypothesis even though
> > this isn't a very big security problem in any case.
> >
> > Thanks for a great product!
> > Gary Bickford
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: security-unsubscribe@apache.org
> > For additional commands, e-mail: security-help@apache.org
>
> --
> Greg Stein, http://www.lyra.org/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: security-unsubscribe@apache.org
> For additional commands, e-mail: security-help@apache.org
--
http://www.apache-ssl.org/ben.html
In SF until 21st April - http://ApacheCon.com/
Re: [PATCH] httpd-std.conf (example.com...)
Posted by "William A. Rowe, Jr." <ad...@rowe-clan.net>.
From: "Justin Erenkrantz" <je...@ebuilt.com>
Sent: Wednesday, April 04, 2001 6:30 AM
> Essentially:
> s/.your_domain.com/.your_domain.example.com/g
>
> I noticed that the Win32 port has @@DomainName@@ to specifically get around
> this - maybe we should add something similar to the Unix install-conf target?
> This may wreck havoc with "virtual servers", but uh, if they are using the
> stock httpd.conf they have other problems to worry about.
Good point, sounds doable. May I suggest we change the mechansims?
Allow @@DomainName@@ 127.0.0.1
so that the local machine can do it's own server-status/server-info while we
are cleaning this up?
> So, is there a reliable way of detecting the DNS domain name on Unix systems
> (the domainname executable is traditionally the NIS domainname). Searching
> through resolv.conf doesn't seem like a pretty solution, but it'd work.
[PATCH] httpd-std.conf (example.com...)
Posted by Justin Erenkrantz <je...@ebuilt.com>.
It's 5AM (rather was when I woke up). I need to wake up. Nothing better than
a simple search and replace to do that. This may be overkill or entirely
wrong, but someone else with commit access can scale back on this if they want
or ignore it. I don't intend to go through the source code at this point -
just the conf files seem worthy at this moment.
Essentially:
s/.your_domain.com/.your_domain.example.com/g
I noticed that the Win32 port has @@DomainName@@ to specifically get around
this - maybe we should add something similar to the Unix install-conf target?
This may wreck havoc with "virtual servers", but uh, if they are using the
stock httpd.conf they have other problems to worry about.
So, is there a reliable way of detecting the DNS domain name on Unix systems
(the domainname executable is traditionally the NIS domainname). Searching
through resolv.conf doesn't seem like a pretty solution, but it'd work.
Hope everyone has fun at ApacheCon. =-) I think everyone else will be
slightly preoccupied for the next few days... -- justin
Index: httpd-std.conf
===================================================================
RCS file: /home/cvspublic/httpd-2.0/docs/conf/httpd-std.conf,v
retrieving revision 1.28
diff -u -r1.28 httpd-std.conf
--- httpd-std.conf 2001/03/25 16:54:48 1.28
+++ httpd-std.conf 2001/04/04 13:11:53
@@ -228,7 +228,7 @@
# e-mailed. This address appears on some server-generated pages, such
# as error documents.
#
-ServerAdmin you@your.address
+ServerAdmin you@your.address.example.com
#
# ServerName allows you to set a host name which is sent back to clients for
@@ -242,7 +242,7 @@
# You will have to access it by its address (e.g., http://123.45.67.89/)
# anyway, and this will make redirections work in a sensible way.
#
-#ServerName new.host.name
+#ServerName new.host.name.example.com
#
# DocumentRoot: The directory out of which you will serve your
@@ -848,25 +848,25 @@
#
# Allow server status reports, with the URL of http://servername/server-status
-# Change the ".your_domain.com" to match your domain to enable.
+# Change the ".your_domain.example.com" to match your domain to enable.
#
#<Location /server-status>
# SetHandler server-status
# Order deny,allow
# Deny from all
-# Allow from .your_domain.com
+# Allow from .your_domain.example.com
#</Location>
#
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
-# Change the ".your_domain.com" to match your domain to enable.
+# Change the ".your_domain.example.com" to match your domain to enable.
#
#<Location /server-info>
# SetHandler server-info
# Order deny,allow
# Deny from all
-# Allow from .your_domain.com
+# Allow from .your_domain.example.com
#</Location>
#
@@ -891,7 +891,7 @@
#<Directory proxy:*>
# Order deny,allow
# Deny from all
-# Allow from .your_domain.com
+# Allow from .your_domain.example.com
#</Directory>
#
Re: Minor security issue in httpd.conf - .your_domain.com
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Dale Ghent wrote:
>
> Besides, I believe that most DNS servers (at least later versions
> of BIND) reject hostnames which have underscores (_) in them as
> non-legal characters in DNS.
That is what I thought, too, but I received som spam to-day which
included a hostname with an embedded '_' -- and I was able to
follow the link to that page.. here it is:
<URL:http://recycler_1.tripod.com/recyclersguide/>.
--
#ken P-)}
Ken Coar <http://Golux.Com/coar/>
Apache Software Foundation <http://www.apache.org/>
"Apache Server for Dummies" <http://Apache-Server.Com/>
"Apache Server Unleashed" <http://ApacheUnleashed.Com/>
Re: Minor security issue in httpd.conf - .your_domain.com
Posted by Dale Ghent <da...@elemental.org>.
On Wed, 4 Apr 2001, Greg Stein wrote:
| This is not a security issue. security@apache.org is for reporting security
| defects in ASF software. Configuration issues do not count.
|
| However, this does point to a basic problem in our .conf file. We should be
| using the example.com domain throughout our .conf and documentation files.
| That domain exists solely to be used in RFCs, docs, etc for examples... no
| hosts will resolve.
|
| (it is registered to the IANA in perpetuity, for this situation)
Besides, I believe that most DNS servers (at least later versions of BIND)
reject hostnames which have underscores (_) in them as non-legal
characters in DNS.
/dale