| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: pauls at utdallas.edu (Schmehl, Paul L) Subject: apache browsing files > -----Original Message----- > From: full-disclosure-admin@...ts.netsys.com > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of > Valdis.Kletnieks@...edu > Sent: Monday, January 05, 2004 2:34 PM > To: diego.veiga@...raer.com.br > Cc: full-disclosure@...ts.netsys.com > Subject: Re: [Full-Disclosure] apache browsing files > > On Mon, 05 Jan 2004 17:00:37 -0200, diego.veiga@...raer.com.br said: > > > Is there a way for apache only browse files *.html or *.php not all > > files type in the browser adress? > > There probably is a directive for it. There's more than one. You could edit IndexIgnore and add *.log to it (and whatever else you want - *.gif, *.jpg, whatever.) You could chown the logfiles to root and chmod them so only root could read them (which should be done for all logfiles anyway - at a minimum root:wheel rw-r----.) You could use "Options -Indexes" to turn automatic indexing off entirely. You could use "% touch index.html" for each directory on the web server to add a blank index file. >It won't help. Maybe not, but I can think of legitimate reasons (note that I didn't say intelligent) to have logfiles web-viewable. If you're doing virtual hosting and you want each of the sites you host to have access to their logs without having to give them shell access, you may chose to do it this way. Of course, you wouldn't have the main apache logs there, and you'd want to configure logging so it only gave the website owners useful information without giving away the farm. You may also want to use .htaccess to force a login to view those logs. But there are better ways to provide statistical information to website owners (weblog.pl, webalizer, etc.) if that's what the goal is. > > It would require that the same sites that aren't able to > change the config to a secure mode (by putting the logs > elsewhere) Ummm...if you're running apache, the config (wrt location of logs - usually either /var/log or /var/log/http/logs/) is secure by default. You'd have to *change* the default to have the logs web-viewable, so there has to be some decision-making going on here (not the best decision-making, perhaps, but decision-making nonetheless.) First you'd have to change the default location of the logs. Then you'd have to change the default ownership and/or group of the logs and/or make them world-viewable. > would have to change the config to add a directive > that worked around their original misconfiguration. If > they're going to change the config *anyhow*, they should just > fix the base problem rather than hack around it. > Well, it isn't a mis-configuration. A poorly thought out configuration perhaps. But not a misconfiguration. A misconfiguration should result in errors when running "% apachectl configtest". A poor configuration would result in no errors but would expose the website and/or server to unnecessary risk. Paul Schmehl (pauls@...allas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
Powered by blists - more mailing lists