Bug#670518: apache2: should provide security information w.r.t. scripting modules
Package: apache2.2-common
Version: 2.2.22-4
Severity: wishlist
The latest upgrade has the following in the ChangeLog:
apache2 (2.2.22-4) unstable; urgency=high
* CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
hosts' config files.
If scripting modules like mod_php or mod_rivet are enabled on systems
where either 1) some frontend server forwards connections to an apache2
backend server on the localhost address, or 2) the machine running
apache2 is also used for web browsing, this could allow a remote
attacker to execute example scripts stored under /usr/share/doc.
Depending on the installed packages, this could lead to issues like cross
site scripting, code execution, or leakage of sensitive data.
-- Stefan Fritsch <sf@debian.org> Sun, 15 Apr 2012 23:41:43 +0200
However this change does not fix the real problem, just the default
configuration. Debian should provide security information about
problems like that (see below the details about these problems), in
README.Debian or some separate information file (with "security" in
its name).
Also, it would be better to fix the scripting modules or their default
configuration so that they are enabled only when requested explicitly
on a per-directory basis (a bit like ExecCGI for the mod_cgi module?).
The admin of the machine or the end user (e.g. via his public_html in
his home dir) may want to link to some doc directory like /usr/share/doc
or $HOME/doc (if he installs software in his home dir). He may also want
to allow these doc to be accessible from remote machines. Scripts from
these directories should be read as text files, not executed. And the
user should know what to do to ensure that.
Even if the admin or the end user thinks this is safe because packages
provided scripting modules are not installed, this may not be the case
in the future, and the problem may be more hidden if such packages are
installed via dependencies. So, it would be nice to know what to do
even if such packages are not installed/enabled yet.
-- Package-specific info:
List of enabled modules from 'apache2 -M':
alias auth_basic authn_file authz_default authz_groupfile
authz_host authz_user autoindex cgi cgid dav dav_svn deflate dir
env mime negotiation perl python reqtimeout setenvif status
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apache2 depends on:
ii apache2-mpm-worker 2.2.22-4
ii apache2.2-common 2.2.22-4
apache2 recommends no packages.
apache2 suggests no packages.
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.22-4
ii apache2.2-bin 2.2.22-4
ii lsb-base 4.1+Debian2
ii mime-support 3.52-1
ii perl 5.14.2-9
ii procps 1:3.3.2-3
Versions of packages apache2.2-common recommends:
ii ssl-cert 1.0.28
Versions of packages apache2.2-common suggests:
ii apache2-doc 2.2.22-4
ii apache2-suexec | apache2-suexec-custom <none>
ii chromium [www-browser] 18.0.1025.151~r130497-1
ii epiphany-browser [www-browser] 3.2.1-2
ii iceape [www-browser] 2.7.3-2
ii iceweasel [www-browser] 10.0.4esr-1
ii links [www-browser] 2.6-1
ii links2 [www-browser] 2.6-1
ii lynx-cur [www-browser] 2.8.8dev.12-2
ii midori [www-browser] 0.4.3-1
ii uzbl [www-browser] 0.0.0~git.20111128-2
ii w3m [www-browser] 0.5.3-5
-- no debconf information
Reply to: