lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <15533237421C6E4296CC33A2090B224A54C93A@UTDEVS02.campus.ad.utdallas.edu>
From: pauls at utdallas.edu (Schmehl, Paul L)
Subject: apache browsing files 

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Valdis.Kletnieks@...edu
> Sent: Monday, January 05, 2004 2:34 PM
> To: diego.veiga@...raer.com.br
> Cc: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] apache browsing files 
> 
> On Mon, 05 Jan 2004 17:00:37 -0200, diego.veiga@...raer.com.br  said:
> 
> > Is there a way for apache only browse files *.html or *.php not all 
> > files type in the browser adress?
> 
> There probably is a directive for it.

There's more than one.  You could edit IndexIgnore and add *.log to it
(and whatever else you want - *.gif, *.jpg, whatever.)  You could chown
the logfiles to root and chmod them so only root could read them (which
should be done for all logfiles anyway - at a minimum root:wheel
rw-r----.)  You could use "Options -Indexes" to turn automatic indexing
off entirely.  You could use "% touch index.html" for each directory on
the web server to add a blank index file.

>It won't help.

Maybe not, but I can think of legitimate reasons (note that I didn't say
intelligent) to have logfiles web-viewable.  If you're doing virtual
hosting and you want each of the sites you host to have access to their
logs without having to give them shell access, you may chose to do it
this way.  Of course, you wouldn't have the main apache logs there, and
you'd want to configure logging so it only gave the website owners
useful information without giving away the farm.  You may also want to
use .htaccess to force a login to view those logs.  But there are better
ways to provide statistical information to website owners (weblog.pl,
webalizer, etc.) if that's what the goal is.
> 
> It would require that the same sites that aren't able to 
> change the config to a secure mode (by putting the logs 
> elsewhere)

Ummm...if you're running apache, the config (wrt location of logs -
usually either /var/log or /var/log/http/logs/) is secure by default.
You'd have to *change* the default to have the logs web-viewable, so
there has to be some decision-making going on here (not the best
decision-making, perhaps, but decision-making nonetheless.)  First you'd
have to change the default location of the logs.  Then you'd have to
change the default ownership and/or group of the logs and/or make them
world-viewable.

> would have to change the config to add a directive 
> that worked around their original misconfiguration.  If 
> they're going to change the config *anyhow*, they should just 
> fix the base problem rather than hack around it.
> 
Well, it isn't a mis-configuration.  A poorly thought out configuration
perhaps.  But not a misconfiguration.  A misconfiguration should result
in errors when running "% apachectl configtest".  A poor configuration
would result in no errors but would expose the website and/or server to
unnecessary risk.

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ