Re: about DSA-2452-1 apache2 -- insecure default configuration
On Mon, 23 Apr 2012 12:51:58 +0200, Vincent Lefevre wrote:
> On 2012-04-20 14:37:11 +0000, Camaleón wrote:
>> The user is the admin of his/her site and so the ultimate resposible
>> for his/her site security.
>
> What do you mean by site security? AFAIK, the problem is a *host*
> security problem.
As Apache can be run in a multi-homed (virtual host) environmenet I can
be the admin of *my* site (my apache configuration) but not for the
others. I can fix my site but not the rest, meaning, there can be "sites"
exposing a vulnerable configuration while another sites in the same host
don't.
>> > There is a better solution: to fix mod_php and mod_rivet.
>>
>> What's the fix you propose? I mean, what's what you think is wrong in
>> these two packages? Fixing the sample scripts? Are these scripts poorly
>> written and exposing flaws?
>
> Your last questions make no sense.
Sorry, the DSA explains little about the origin of the error and how it
can be exploited.
> The sample scripts are *not* in these two packages, but under /usr
> /share/doc! So, there is nothing to fix in the sample scripts
> themselves. The fix should be in the two packages, which shouldn't
> execute scripts stored in a random directory, i.e. the scripts in /usr
> /share/doc should just be seen as text files. This should be a bit like
> CGI's: they are executed only if the ExecCGI option has been set on the
> directory.
So you consider the flaw is "where", exactly? What do you think the
packages are doing wrong? And most important, have you contacted the
Apache guys to share your concerns with them?
Greetings,
--
Camaleón
Reply to: