| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: damian at sentex.net (Damian Gerow) Subject: Frontpage Extensions Remote Command Execution Thus spake Paul Schmehl (pauls@...allas.edu) [12/11/03 17:21]: > You're serious? I mean *really* serious? Or is this a test? Really, *really* serious. > How do you explain this, for example? > > http://httpd.apache.org/docs/misc/security_tips.html What do I need to explain? There's nothing in that document that says, 'After installing apache, unless you do this simple task, you are open to a vulnerability.' At its worst, it says, 'Because Apache runs as a specific user, and thus all configured sites run as that user, these users can potentially attack each other.' (In fact, there has been a vulnerability released in the past year (six months?) that has let people do exactly that. So that is the only real point of concern.) However, let's look at the installation. I use FreeBSD. So I install the www/apache13 (or www/apache13-modssl) port. It installs, doesn't enable SSI, has suEXEC configured in it by default, runs as a non-root user, and has pretty sane restrictions on what it can and cannot serve. As well, www/apache13 already has 'AllowOverride None' on /. So I don't have to worry about SSI stuff, but CGI stuff is still a concern. But I already have suEXEC enabled, so I just need to attach the users (yes, this is a bit of a concern, I agree), and I've already attained 90% of the 'To run a really tight ship, do ...' the document specifies. Let's take this a step further. I want webmail. So I install the www/horde port. And look at that -- it *also* installs with sane restrictions, so that people can't view my documents or configuration files. So I really do fail to see what I need to explain. I still stand by what I said, that a decent OS shouldn't need the admin to go in afterwards and modify filesystem permissions in order to guarantee a base line of security.* The biggest problem I see here is that there is no example for suEXEC in the configuration file. And Apache could perhaps enable suEXEC by default for /~jschmoe URLs (or does it -- I don't know). The other big concern is the installation of www/mod_php4, www/mod_perl, and the like. Not under suEXEC, you are pretty much open to do what you want as the web server. That includes potentially killing any of the children httpd processes. Under suEXEC, you are open to do what you want as the user. That does *not* include killing any httpd processes. However, this is considerably more complicated than a, 'this file should not have been installed with such loose permissions' problem. This is a continuing, ongoing configuration problem, not a one-time fixup due to a problem in the install. So to get this up and running with a base line of security, I did *not* have to once go in and change the permissions on any of the files that the port installed. It's entirely possible that I have missed something glaringly obvious (that happens when you focus on multiple things at once), so please, point it out to me if I have. - Damian * = In reviewing my comment, I should also state this: While this came as a direct result of a Microsoft-ism, this also applies to any other platform. OS X has had its own filesystem permission problems (OS X Server, I'm not sure about), and I'm sure that somewhere in the history of Open Source there have been security issues with default permissions. Not to mention Solaris, AIX, Irix, AUX...
Powered by blists - more mailing lists