[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: about DSA-2452-1 apache2 -- insecure default configuration

On 2012-04-20 14:37:11 +0000, Camaleón wrote:
> On Fri, 20 Apr 2012 01:50:29 +0200, Vincent Lefevre wrote:
> > On 2012-04-19 15:08:55 +0000, Camaleón wrote:
> >> >> I can be wrong but the bug seems aimed to correct the package which
> >> >> contains the file that enables the alias by default, hence the
> >> >> apache2 package.
> >> > 
> >> > But the user isn't necessarily the administrator. If the admin
> >> > installs mod_php, making the bug appear if the user has added a
> >> > symlink to /usr/share/doc, that's very bad.
> >> 
> >> Sure, but in such case the user (who is in charge of the "alias" for
> >> their domains) will have to manually make the required corrections and
> >> the same goes for the vhosts.
> > 
> > Except that if the user doesn't do this, the same security problem will
> > occur.
> The user is the admin of his/her site and so the ultimate resposible for 
> his/her site security.

What do you mean by site security? AFAIK, the problem is a *host*
security problem.

> >> There are times when a global solution can't be applied and this seems
> >> to be one of that situations.
> > 
> > There is a better solution: to fix mod_php and mod_rivet.
> What's the fix you propose? I mean, what's what you think is wrong in 
> these two packages? Fixing the sample scripts? Are these scripts poorly 
> written and exposing flaws?

Your last questions make no sense. The sample scripts are *not* in
these two packages, but under /usr/share/doc! So, there is nothing
to fix in the sample scripts themselves. The fix should be in the
two packages, which shouldn't execute scripts stored in a random
directory, i.e. the scripts in /usr/share/doc should just be seen
as text files. This should be a bit like CGI's: they are executed
only if the ExecCGI option has been set on the directory.

Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to: