RE: htaccess with apache

["Dinis Cruz" <dinis () ddplus net>]

Very interesting thread, unfortunately I can't add my ideas and
suggestions since currently I'm more involved with Asp.Net and IIS
security.

But it seams to me that given the complexity of web application
deployment is it a certainty that configuration errors will occur (event
the most experiment and competent sysadmins make occasional mistakes).

I think that the best solution is to have tools that test the servers
security configuration (from the inside) and help those administrators
to fix the problems identified.

I created such tool for the IIS environment (Asp.Net Security Analyser),
and would be very interested to know if anybody as developed a similar
tool for the Linux/Apache environments.

Best regards

Dinis Cruz
.Net Security Consultant
DDPlus (www.ddplus.net)

NOTE: I'm also Portuguese! Currently I live in London, but It is
definitely a small world we live in :) . 

> -----Original Message-----
> From: MTeixeira () njtransit com [mailto:MTeixeira () njtransit com] 
> Sent: Wednesday, November 05, 2003 6:36 PM
> To: vasco () all-2-it com; webappsec () securityfocus com
> Subject: RE: htaccess with apache
>
>
> I agree with Antonio.  Just because the default is to allow 
> it, it doesn't mean it should be left alone.  Unfortunately, 
> it's the case with many other issues where the default isn't 
> good enough.
>
> P.S.  Viva portugal :)
>
> MIGUEL A. TEIXEIRA
> NJ Transit\\\ Corporation Information Services
> One Penn Plaza East, Newark, NJ 07105-2246
> v: 973.491.8153   f: 973.491.7511
> mteixeira () njtransit com
> www.njtransit.com
>
>
> -----Original Message-----
> From: António Vasconcelos [mailto:vasco () all-2-it com] 
> Sent: Wednesday, November 05, 2003 8:22 AM
> To: webappsec () securityfocus com
> Subject: Re: htaccess with apache
>
>
> Tim Greer wrote:
>
> >  
> >
> > > MORE IMPORTANTLY,
> > > /etc/passwd shouldn't be readable by the CGI server!
> > >    
> >
> > Sure it should be!  The default permissions (that are safe 
> too) are 644
> > for this file.  Are you thinking of shadow or master.passwd???
> >  
> It shouldn't...
> There is no need for nobody/nobody to read /etc/passwd file. 
> Of course 
> that the passwords are in /etc/shadow but I see no reason to show 
> everyone (or nobody in this case, hehehe) the list of users 
> and it's shells. Yes, the default permssions will allow user 
> nobody to do just that, 
> that's why there are unix'es were you can setup extended 
> permissions for 
> any file.
>
> -- 
>
> António  Vasconcelos
> /(Administrador de Sistemas)
> ALL2IT-Infocomunicações, SA
> Torre de Monsanto, 6º Piso
> Miraflores, Algés
> PORTUGAL
> Telf.: + 351 21 412 39 50
> Fax.: + 351 21 410 51 94/
>
>  
>
> *CONFIDENCIAL*: Esta mensagem contém informação confidencial 
> ou material 
> privilegiado, e é só intencionada para os seus destinatários. 
> De acordo 
> com a lei em vigor, se um erro originou que tenha recebido 
> esta mensagem 
> por engano pedimos que, de imediato, notifique o remetente e 
> a apague do 
> seu sistema sem a reproduzir.
>       *CONFIDENTIAL*: This e-mail contains proprietary 
> information, some or 
> all of which may be legally privileged. It is for the intended 
> recipients only. According to the law in force, if an addressing or 
> transmission error has misdirected this e-mail, please notify 
> the author 
> by replying to this e-mail and delete it from your system without 
> retaining a copy.
>
>
>
>
> ..............................................................
> .....................
> Scanned OK by ALL-2-IT Anti-Virus Gateway