Re: about DSA-2452-1 apache2 -- insecure default configuration
On 2012-04-24 15:48:38 +0000, Camaleón wrote:
> On Tue, 24 Apr 2012 17:06:27 +0200, Vincent Lefevre wrote:
> > You assume that there is just a user Apache configuration for each
> > virtual host. This is not the case. If a site decides to make script
> > contents available (as text), but then a global configuration (e.g. the
> > fact to install some Apache module) changes the behavior so that the
> > script, instead of being displayed as text, becomes executed when the
> > URL is opened, then it is not the site that exposes a vulnerable
> > configuration, but a global problem.
>
> Still a problem that has to be fixed by the admin of the site regardless
> its scope (global or local).
This is just a workaround. The real problem hasn't been fixed.
And this means that it is no longer possible to read arbitrary
documentation from doc directories easily.
> >> So you consider the flaw is "where", exactly?
> >
> > As I've said, in the mod_php and mod_rivet modules.
>
> Yes, but what part of the code you think it needs to be fixed. The *.so
> library file itself?
I don't know how they work. Ideally modules that change the behavior
should be used with something like, e.g. for a module providing some
feature Foo:
<Directory /path/to/dir>
Options +Foo
</Directory>
Only sites (of parts of sites) that need such a module would do that.
Thus directories like /usr/share/doc would be unaffected by such
modules.
Or if for some reason, the behavior may be enabled globally, the
default config for doc could be:
<Directory /usr/share/doc>
Options -Foo
</Directory>
to be sure that Foo is not used, even if the configuration is changed
somewhere else.
> >> What do you think the packages are doing wrong? And most important,
> >> have you contacted the Apache guys to share your concerns with them?
> >
> > I know nothing about these modules (except that they will change the
> > Apache configuration), but this may also be due to Debian-related
> > settings.
>
> Mmm... "libapache2-mod-php5" and "libapache2-mod-rivet" are both
> conformed by a bunch of files, updating these would have been even easier
> than having to touch Apache's default config file(s), there must be a
> good reason for having proceed in this way, then.
Perhaps because this hasn't been done yet? If they have hardcoded
non-configurable features, this may not be easy.
> And now I think... I wonder if users running Lenny with any of these
> packages installed and the default alias to the doc path are also
> vulnerable.
I would say: probably.
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: