Re: Suggestion for security tips page.

[Rich Bowen <rb...@rcbowen.com>]

On Tue, 2 Dec 2003, Jani Mikkonen wrote:

> Atleast in the machines i've setup for apache use, i have a lot of
> people doing the actual content to the webpages. Most if not all of
> those webmasters use emacs to edit their pages. And as you know, by
> default emacs creates a backup file to the same dir with the ~ character
> at the end of the original filename. This a possible security breaches
> when webmasters are editing script files (cgi/php/ssi/mod_perl stuff)
> that might have have sensible data like passwords/ip addresses of
> internal machines or something similar. And since execution of these
> serverside scripting languages usually depend on extension of the
> filename, filename such as "database_connection.php~" would not be
> executed thru php module and thus the actual code could be read by
> anyone knowning the url.
> 
> The obvious fix for this problem is to educate the webmasters not to
> copy the stuff into live site OR erase the files after they are done but
> this will most likely happen only after the temperature reaches 0C in
> downstairs where the bsd mascot runs the show.
> 
> But to make things that these files are not presented to the user, i
> allways check that my httpd.conf includes following:
> 
> <Files ~ "\~$">
>     Order allow,deny
>     Deny from all
> </Files>
> 
> I think this falls into a pretty much same category like the protection
> of ^\.ht files, so propably this could be added to default configuration
> file that ships with the source if it seems necessery ?

I'm somewhat torn on this one. a rule like this encourages people to do
stupid things. Don't edit files on the live server.

On the other hand, it is an important security consideration.

On the other hand (running out of hands here) where do we draw the line.
Do we need a rule for vi swap files? MS Word swap files? Pico swap
files?

-- 
And everyone said, "If we only live, 
We too will go to sea in a Sieve -
To the hills of the Chankly Bore!"
 (The Jumblies, by Edward Lear)


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: Suggestion for security tips page.

[Lonnie <lo...@umanitoba.ca>]

>My point for the post was that this should be told in the security tips
>pages as it might not be obvious to everyone who starts to configure
>apache the way they like it.  And most cases, there are different people
>for writing the content files and for configuring apache. So you cannot
>just eliminate stupidity without heavy larting and bofhing.
>
>This didnt come to me as "yeah it would be fun to block these" but i
>actually withnessed someone probing my homesite. That prober had created
>a list of all files in my docroot with *.php extension and crawling thru
>them and then sending requests with same filename and ~ at the end.
>  
>
I've had some probes/attempted attacks recently also and I agree with 
Jani that a security tip in the documentation would be a good thing. I 
already had a rule in place in my httpd.conf file to prevent people from 
browsing files with ~ in the name but to newer admins it may not be an 
obvious thing to setup.

As Jani pointed out, there are a number of ways for potentially 
exploitable files to make their way onto the site. We have a lot of 
people that use Dreamweaver, which creates .tmp files if you try and 
preview a page (scripted or not). These files sometimes linger around 
and the potential for them being synchronized to the live site does exist.

I'd be willing to take a stab at writing a security tip for this 
particular instance if the consensus is that it would be useful.

-- 
Lonnie Smetana
Web Developer
University of Manitoba

v: 204.474.7228
e: lonnie_smetana@umanitoba.ca


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: Suggestion for security tips page.

[Rich Bowen <rb...@rcbowen.com>]

On Wed, 28 Jan 2004, Jani Mikkonen wrote:

> > On the other hand (running out of hands here) where do we draw the line.
> > Do we need a rule for vi swap files? MS Word swap files? Pico swap
> > files?
> 
> My point for the post was that this should be told in the security tips
> pages as it might not be obvious to everyone who starts to configure
> apache the way they like it.  And most cases, there are different people
> for writing the content files and for configuring apache. So you cannot
> just eliminate stupidity without heavy larting and bofhing.
> 
> This didnt come to me as "yeah it would be fun to block these" but i
> actually withnessed someone probing my homesite. That prober had created
> a list of all files in my docroot with *.php extension and crawling thru
> them and then sending requests with same filename and ~ at the end.

I certainly wasn't suggesting that. I simply want to discuss all the
ramifications, and how far we should take this. I think it's a good
idea, but I want to do it correctly and thoroughly. But at the same
time, not overdo it.

-- 
Stretching out your hand
Full of starlit diamonds
Earthshine


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: Suggestion for security tips page.

[Jani Mikkonen <ja...@mikkonen.org>]

On Wed, 2004-01-28 at 15:38, Rich Bowen wrote:

> I'm somewhat torn on this one. a rule like this encourages people to do
> stupid things. Don't edit files on the live server.

There are other ways for these backup files to get into live server
too.. Think about someone editing files, then doing wildcarded cvs
import for the whole three with the backups and all (ofcourse this false
into the category: stupid things) and then each time live server checks
out the stuff, backups are there.

Or

Rsync whole directory structure to live.

> On the other hand (running out of hands here) where do we draw the line.
> Do we need a rule for vi swap files? MS Word swap files? Pico swap
> files?

My point for the post was that this should be told in the security tips
pages as it might not be obvious to everyone who starts to configure
apache the way they like it.  And most cases, there are different people
for writing the content files and for configuring apache. So you cannot
just eliminate stupidity without heavy larting and bofhing.

This didnt come to me as "yeah it would be fun to block these" but i
actually withnessed someone probing my homesite. That prober had created
a list of all files in my docroot with *.php extension and crawling thru
them and then sending requests with same filename and ~ at the end.


-- 
Jani Mikkonen <jani dot mikkonen at jippiigroup dot com>
ADVOGATO Profile: http://www.advogato.org/person/rasjani
Public key available from www.keyserver.net - ProPrivacy!

Re: Suggestion for security tips page.

[Mads Toftum <ma...@toftum.dk>]

On Wed, Jan 28, 2004 at 08:38:36AM -0500, Rich Bowen wrote:
> I'm somewhat torn on this one. a rule like this encourages people to do
> stupid things. Don't edit files on the live server.
> 
Edit it offline and do a recursive copy and the problem will be the
same - either way, I think there's plenty of these that inadvertently
end up where they shouldn't be.

> On the other hand, it is an important security consideration.
> 
Exactly.

> On the other hand (running out of hands here) where do we draw the line.
> Do we need a rule for vi swap files? MS Word swap files? Pico swap
> files?
> 
We already have IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
Maybe that is a good measure of files you probably don't want to 
serve? 
If we don't put it in the default conf, then we should at least put
it in the security doc.

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org