Re: Apache 1.3.27 mod_proxy security issue

["William A. Rowe, Jr." <wr...@apache.org>]

At 04:34 AM 7/29/2003, Michael Shigorin wrote:
>On Tue, Jul 22, 2003 at 05:30:39PM -0500, William A. Rowe, Jr. wrote:
>> As described in the default configuration, open proxies are never
>> recommended [from Apache 1.3.27 conf/httpd.conf-dist];
>
>[skip]
>
>> #        Allow from .your-domain.com
>
>Is it reasonable to use something intentionally broken like
>.your_domain.com (not even example.*) in configuration samples
>like this one?

No, it's not.  We recently attempted to standardize the occurrences
of 'invalid' domain names to the accepted 'example.*' faux domains.
The stock configurations in the next releases of Apache Web Server
have corrected the few that were missed, including the example above.

On the other side of this issue, it's not unreasonable to use a class 
of addresses that doesn't exist, for the purposes of prohibiting all
access until the user takes the time to properly update their conf, 
IMHO.

At 12:31 PM 7/23/2003, Greg A. Woods wrote:

>I don't know how clients are matched against domains in ACL statements
>such as the above in Apache, but I will note that it is NEVER safe to
>rely on the Reverse DNS alone to implement ACLs that affect the ability
>of a random remote client system.

On this point, too, it would be valuable to provide an example subnet as
a preferable alternative to reverse DNS queries.  That change has not been
made yet - but is referred to our documentation project.

Bill


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: Apache 1.3.27 mod_proxy security issue

[Joshua Slive <jo...@slive.ca>]

On Wed, 30 Jul 2003, Marc Slemko wrote:
> Plus for 95% of installations, the performance really doesn't matter.
> What matters more is the possibility of broken reverse DNS causing it
> not to work in ways that are non obvious to many people.
>
> However, this double reverse doesn't seem to be documented in mod_access...
> there should probably be a note there saying it will force double
> lookups... this is documented in the HostnameLookups directive, but
> should be explicitly mentioned (not just linked to without mentioning
> the double reverse issue) in the mod_access docs.

Yep, you're right.  I'll try to take a look at it.

Joshua.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: Apache 1.3.27 mod_proxy security issue

[Marc Slemko <ma...@znep.com>]

On Tue, 29 Jul 2003, Joshua Slive wrote:

>
> On Tue, 29 Jul 2003, William A. Rowe, Jr. wrote:
> > At 12:31 PM 7/23/2003, Greg A. Woods wrote:
> >
> > >I don't know how clients are matched against domains in ACL statements
> > >such as the above in Apache, but I will note that it is NEVER safe to
> > >rely on the Reverse DNS alone to implement ACLs that affect the ability
> > >of a random remote client system.
> >
> > On this point, too, it would be valuable to provide an example subnet as
> > a preferable alternative to reverse DNS queries.  That change has not been
> > made yet - but is referred to our documentation project.
>
> Apache does double-reverse lookups to assure that nothing too funky is
> going on, so using dns names is relatively safe.  It is still better to
> use an IP subnet for performance reasons, but the hostname may be easier
> to understand as an example.

Plus for 95% of installations, the performance really doesn't matter.
What matters more is the possibility of broken reverse DNS causing it
not to work in ways that are non obvious to many people.

However, this double reverse doesn't seem to be documented in mod_access...
there should probably be a note there saying it will force double
lookups... this is documented in the HostnameLookups directive, but
should be explicitly mentioned (not just linked to without mentioning
the double reverse issue) in the mod_access docs.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: Apache 1.3.27 mod_proxy security issue

[Joshua Slive <jo...@slive.ca>]

On Tue, 29 Jul 2003, William A. Rowe, Jr. wrote:
> At 12:31 PM 7/23/2003, Greg A. Woods wrote:
>
> >I don't know how clients are matched against domains in ACL statements
> >such as the above in Apache, but I will note that it is NEVER safe to
> >rely on the Reverse DNS alone to implement ACLs that affect the ability
> >of a random remote client system.
>
> On this point, too, it would be valuable to provide an example subnet as
> a preferable alternative to reverse DNS queries.  That change has not been
> made yet - but is referred to our documentation project.

Apache does double-reverse lookups to assure that nothing too funky is
going on, so using dns names is relatively safe.  It is still better to
use an IP subnet for performance reasons, but the hostname may be easier
to understand as an example.

Joshua.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org