WebApp Sec mailing list archives
RE: htaccess with apache
From: "Dinis Cruz" <dinis () ddplus net>
Date: Mon, 10 Nov 2003 18:35:04 -0000
Very interesting thread, unfortunately I can't add my ideas and suggestions since currently I'm more involved with Asp.Net and IIS security. But it seams to me that given the complexity of web application deployment is it a certainty that configuration errors will occur (event the most experiment and competent sysadmins make occasional mistakes). I think that the best solution is to have tools that test the servers security configuration (from the inside) and help those administrators to fix the problems identified. I created such tool for the IIS environment (Asp.Net Security Analyser), and would be very interested to know if anybody as developed a similar tool for the Linux/Apache environments. Best regards Dinis Cruz .Net Security Consultant DDPlus (www.ddplus.net) NOTE: I'm also Portuguese! Currently I live in London, but It is definitely a small world we live in :) .
-----Original Message----- From: MTeixeira () njtransit com [mailto:MTeixeira () njtransit com] Sent: Wednesday, November 05, 2003 6:36 PM To: vasco () all-2-it com; webappsec () securityfocus com Subject: RE: htaccess with apache I agree with Antonio. Just because the default is to allow it, it doesn't mean it should be left alone. Unfortunately, it's the case with many other issues where the default isn't good enough. P.S. Viva portugal :) MIGUEL A. TEIXEIRA NJ Transit\\\ Corporation Information Services One Penn Plaza East, Newark, NJ 07105-2246 v: 973.491.8153 f: 973.491.7511 mteixeira () njtransit com www.njtransit.com -----Original Message----- From: António Vasconcelos [mailto:vasco () all-2-it com] Sent: Wednesday, November 05, 2003 8:22 AM To: webappsec () securityfocus com Subject: Re: htaccess with apache Tim Greer wrote:MORE IMPORTANTLY, /etc/passwd shouldn't be readable by the CGI server!Sure it should be! The default permissions (that are safetoo) are 644for this file. Are you thinking of shadow or master.passwd???It shouldn't... There is no need for nobody/nobody to read /etc/passwd file. Of course that the passwords are in /etc/shadow but I see no reason to show everyone (or nobody in this case, hehehe) the list of users and it's shells. Yes, the default permssions will allow user nobody to do just that, that's why there are unix'es were you can setup extended permissions for any file. -- António Vasconcelos /(Administrador de Sistemas) ALL2IT-Infocomunicações, SA Torre de Monsanto, 6º Piso Miraflores, Algés PORTUGAL Telf.: + 351 21 412 39 50 Fax.: + 351 21 410 51 94/ *CONFIDENCIAL*: Esta mensagem contém informação confidencial ou material privilegiado, e é só intencionada para os seus destinatários. De acordo com a lei em vigor, se um erro originou que tenha recebido esta mensagem por engano pedimos que, de imediato, notifique o remetente e a apague do seu sistema sem a reproduzir. *CONFIDENTIAL*: This e-mail contains proprietary information, some or all of which may be legally privileged. It is for the intended recipients only. According to the law in force, if an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail and delete it from your system without retaining a copy. .............................................................. ..................... Scanned OK by ALL-2-IT Anti-Virus Gateway
Current thread:
- Re: htaccess with apache, (continued)
- Re: htaccess with apache Tim Greer (Nov 11)
- Re: htaccess with apache Vladimir Danilyuk (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Peter Conrad (Nov 04)
- Re: htaccess with apache Lucas Holt (Nov 04)
- Re: htaccess with apache Cameron Green (Nov 04)
- RE: htaccess with apache Anonymous Sender (Nov 04)
- RE: htaccess with apache Maxim Kostioukov (Nov 04)
- RE: htaccess with apache MTeixeira (Nov 05)
- RE: htaccess with apache Tim Greer (Nov 05)
- RE: htaccess with apache Dinis Cruz (Nov 11)
- RE: htaccess with apache Tim Greer (Nov 11)