[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: about DSA-2452-1 apache2 -- insecure default configuration

On 2012-04-23 15:06:44 +0000, Camaleón wrote:
> On Mon, 23 Apr 2012 12:51:58 +0200, Vincent Lefevre wrote:
> 
> > On 2012-04-20 14:37:11 +0000, Camaleón wrote:
> 
> >> The user is the admin of his/her site and so the ultimate resposible
> >> for his/her site security.
> > 
> > What do you mean by site security? AFAIK, the problem is a *host*
> > security problem.
> 
> As Apache can be run in a multi-homed (virtual host) environmenet I can 
> be the admin of *my* site (my apache configuration) but not for the 
> others. I can fix my site but not the rest, meaning, there can be "sites" 
> exposing a vulnerable configuration while another sites in the same host 
> don't.

You assume that there is just a user Apache configuration for each
virtual host. This is not the case. If a site decides to make script
contents available (as text), but then a global configuration (e.g.
the fact to install some Apache module) changes the behavior so that
the script, instead of being displayed as text, becomes executed when
the URL is opened, then it is not the site that exposes a vulnerable
configuration, but a global problem.

> >> > There is a better solution: to fix mod_php and mod_rivet.
> >> 
> >> What's the fix you propose? I mean, what's what you think is wrong in
> >> these two packages? Fixing the sample scripts? Are these scripts poorly
> >> written and exposing flaws?
> > 
> > Your last questions make no sense. 
> 
> Sorry, the DSA explains little about the origin of the error and how it 
> can be exploited.
> 
> > The sample scripts are *not* in these two packages, but under /usr
> > /share/doc! So, there is nothing to fix in the sample scripts
> > themselves. The fix should be in the two packages, which shouldn't
> > execute scripts stored in a random directory, i.e. the scripts in /usr
> > /share/doc should just be seen as text files. This should be a bit like
> > CGI's: they are executed only if the ExecCGI option has been set on the
> > directory.
> 
> So you consider the flaw is "where", exactly?

As I've said, in the mod_php and mod_rivet modules.

> What do you think the packages are doing wrong? And most important,
> have you contacted the Apache guys to share your concerns with them?

I know nothing about these modules (except that they will change the
Apache configuration), but this may also be due to Debian-related
settings.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: