[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: about DSA-2452-1 apache2 -- insecure default configuration

On 2012-04-24 15:48:38 +0000, Camaleón wrote:
> On Tue, 24 Apr 2012 17:06:27 +0200, Vincent Lefevre wrote:
> > You assume that there is just a user Apache configuration for each
> > virtual host. This is not the case. If a site decides to make script
> > contents available (as text), but then a global configuration (e.g. the
> > fact to install some Apache module) changes the behavior so that the
> > script, instead of being displayed as text, becomes executed when the
> > URL is opened, then it is not the site that exposes a vulnerable
> > configuration, but a global problem.
> 
> Still a problem that has to be fixed by the admin of the site regardless 
> its scope (global or local).

This is just a workaround. The real problem hasn't been fixed.
And this means that it is no longer possible to read arbitrary
documentation from doc directories easily.

> >> So you consider the flaw is "where", exactly?
> > 
> > As I've said, in the mod_php and mod_rivet modules.
> 
> Yes, but what part of the code you think it needs to be fixed. The *.so 
> library file itself?

I don't know how they work. Ideally modules that change the behavior
should be used with something like, e.g. for a module providing some
feature Foo:

<Directory /path/to/dir>
  Options +Foo
</Directory>

Only sites (of parts of sites) that need such a module would do that.
Thus directories like /usr/share/doc would be unaffected by such
modules.

Or if for some reason, the behavior may be enabled globally, the
default config for doc could be:

<Directory /usr/share/doc>
  Options -Foo
</Directory>

to be sure that Foo is not used, even if the configuration is changed
somewhere else.

> >> What do you think the packages are doing wrong? And most important,
> >> have you contacted the Apache guys to share your concerns with them?
> > 
> > I know nothing about these modules (except that they will change the
> > Apache configuration), but this may also be due to Debian-related
> > settings.
> 
> Mmm... "libapache2-mod-php5" and "libapache2-mod-rivet" are both 
> conformed by a bunch of files, updating these would have been even easier 
> than having to touch Apache's default config file(s), there must be a 
> good reason for having proceed in this way, then. 

Perhaps because this hasn't been done yet? If they have hardcoded
non-configurable features, this may not be easy.

> And now I think... I wonder if users running Lenny with any of these 
> packages installed and the default alias to the doc path are also 
> vulnerable.

I would say: probably.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: