lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5.2.0.9.2.20030729150030.02c76008@pop3.rowe-clan.net>
Date: Tue, 29 Jul 2003 15:36:40 -0500
From: "William A. Rowe, Jr." <wrowe@...che.org>
To: Michael Shigorin <mike@...n.org.ua>,"Greg A. Woods" <woods@...rd.com>
Cc: bugtraq@...urityfocus.com,docs@...pd.apache.org
Subject: Re: Apache 1.3.27 mod_proxy security issue


At 04:34 AM 7/29/2003, Michael Shigorin wrote:
>On Tue, Jul 22, 2003 at 05:30:39PM -0500, William A. Rowe, Jr. wrote:
>> As described in the default configuration, open proxies are never
>> recommended [from Apache 1.3.27 conf/httpd.conf-dist];
>
>[skip]
>
>> #        Allow from .your-domain.com
>
>Is it reasonable to use something intentionally broken like
>.your_domain.com (not even example.*) in configuration samples
>like this one?

No, it's not.  We recently attempted to standardize the occurrences
of 'invalid' domain names to the accepted 'example.*' faux domains.
The stock configurations in the next releases of Apache Web Server
have corrected the few that were missed, including the example above.

On the other side of this issue, it's not unreasonable to use a class 
of addresses that doesn't exist, for the purposes of prohibiting all
access until the user takes the time to properly update their conf, 
IMHO.

At 12:31 PM 7/23/2003, Greg A. Woods wrote:

>I don't know how clients are matched against domains in ACL statements
>such as the above in Apache, but I will note that it is NEVER safe to
>rely on the Reverse DNS alone to implement ACLs that affect the ability
>of a random remote client system.

On this point, too, it would be valuable to provide an example subnet as
a preferable alternative to reverse DNS queries.  That change has not been
made yet - but is referred to our documentation project.

Bill

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ