WebApp Sec mailing list archives

Re: htaccess with apache

From: Tim Greer <chatmaster () charter net>
Date: 04 Nov 2003 12:55:43 -0800

On Tue, 2003-11-04 at 12:41, Graham Lally wrote:

Tim Greer wrote:

You'll want to filter lots after that, although the easiest way is to 
restrict the template name to valid characters, and remove everything 
else. The regexp on the page is:

   /^[\w\-\.]*$/

So if template doesn't match that, something's wrong.


I also recommend making sure the file ends with a specific file
extension, so only certain HTML or template (or text) files can be open:

/^[\w\-\]*\.(html?|txt|tmpl)$/i  (for example--and you likely don't need
to capture those values, so use '?:' there)


Taint mode (#!/usr/bin/perl -T) on the script is worth adding in here 
too... Without going on and on about cgi sec, but if $template is being 
passed in to the perl 'open' command unfiltered, then pipes and 
redirections can be provided, turning a read into an exec or a write, so 
any Perl CGI should specify -T to enforce the regexp check above.


Good point, I should have mentioned that.  I personally only add Taint
mode when testing--and I rarely do that with all the checks I do to
check for specific characters, etc.  I realize it seems like a risk to
some people, but I don't feel I need to do it (I also realize how that
sounds to some people. :-)

However, I also don't just allow people to pass anything, which allows
for me to not use it and be safe (but yes, I have to be more careful
with my checks--but I figure I better be anyway and I'm fine with it and
only allowing exactly (or the exact characters) I want or need to be
passed (or not)).  However, it's definitely great advice that I should
have suggested myself.

/etc/passwd shouldn't be readable by the CGI server!


Sure it should be!  The default permissions (that are safe too) are 644
for this file.  Are you thinking of shadow or master.passwd???


Oop, yes, my bad, I take that bit completely back - never try and 
concentrate on too many things at once ;) Still, file permissions and 
server privileges should be high on the list of Things To Check, 
especially if open's being used.


Certainly.  Having wrappers which allow for lower permissions and then
deny the user's from viewing them is a plus.  But, like we all agree,
permissions (and ownership) are important to be as safe as possible in
that regard.
-- 
Tim Greer <chatmaster () charter net>

Current thread:

Re: htaccess with apache, (continued)
- Re: htaccess with apache David Precious (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
  - Re: htaccess with apache Tim Greer (Nov 04)
    - Re: htaccess with apache A.D.Douma (Nov 04)
    - Re: htaccess with apache Tim Greer (Nov 04)
    - Re: htaccess with apache Sverre H. Huseby (Nov 04)
    - Re: htaccess with apache Tim Tompkins (Nov 04)
    - Re: htaccess with apache Lucas Holt (Nov 04)
    - Re: htaccess with apache A.D.Douma (Nov 05)
    - Re: htaccess with apache Graham Lally (Nov 04)
    - Re: htaccess with apache Tim Greer (Nov 04)
    - Re: htaccess with apache António Vasconcelos (Nov 05)
    - Re: htaccess with apache Tim Greer (Nov 05)
    - Re: htaccess with apache António Vasconcelos (Nov 06)
    - Re: htaccess with apache Tim Greer (Nov 06)
    - Re: htaccess with apache António Vasconcelos (Nov 11)
    - Re: htaccess with apache Tim Greer (Nov 11)
    - Re: htaccess with apache Tim Greer (Nov 11)
- Re: htaccess with apache Vladimir Danilyuk (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Peter Conrad (Nov 04)

(Thread continues...)