[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: about DSA-2452-1 apache2 -- insecure default configuration

On Tue, 24 Apr 2012 18:19:11 +0200, Vincent Lefevre wrote:

> On 2012-04-24 15:48:38 +0000, Camaleón wrote:
>> On Tue, 24 Apr 2012 17:06:27 +0200, Vincent Lefevre wrote:
>> > You assume that there is just a user Apache configuration for each
>> > virtual host. This is not the case. If a site decides to make script
>> > contents available (as text), but then a global configuration (e.g.
>> > the fact to install some Apache module) changes the behavior so that
>> > the script, instead of being displayed as text, becomes executed when
>> > the URL is opened, then it is not the site that exposes a vulnerable
>> > configuration, but a global problem.
>> 
>> Still a problem that has to be fixed by the admin of the site
>> regardless its scope (global or local).
> 
> This is just a workaround. The real problem hasn't been fixed. And this
> means that it is no longer possible to read arbitrary documentation from
> doc directories easily.

I'm still not sure about that mainly because I don't see other 
distributions (besides Ubuntu) fixing it :-?

>> >> So you consider the flaw is "where", exactly?
>> > 
>> > As I've said, in the mod_php and mod_rivet modules.
>> 
>> Yes, but what part of the code you think it needs to be fixed. The *.so
>> library file itself?
> 
> I don't know how they work. Ideally modules that change the behavior
> should be used with something like, e.g. for a module providing some
> feature Foo:
> 
> <Directory /path/to/dir>
>   Options +Foo
> </Directory>
> 
> Only sites (of parts of sites) that need such a module would do that.
> Thus directories like /usr/share/doc would be unaffected by such
> modules.
> 
> Or if for some reason, the behavior may be enabled globally, the default
> config for doc could be:
> 
> <Directory /usr/share/doc>
>   Options -Foo
> </Directory>
> 
> to be sure that Foo is not used, even if the configuration is changed
> somewhere else.

Well, in one of my lenny servers (that don't have any of those "mod_" 
packages installed) the alias to the "/usr/share/doc" path is present in 
Apache's default config file.

>> >> What do you think the packages are doing wrong? And most important,
>> >> have you contacted the Apache guys to share your concerns with them?
>> > 
>> > I know nothing about these modules (except that they will change the
>> > Apache configuration), but this may also be due to Debian-related
>> > settings.
>> 
>> Mmm... "libapache2-mod-php5" and "libapache2-mod-rivet" are both
>> conformed by a bunch of files, updating these would have been even
>> easier than having to touch Apache's default config file(s), there must
>> be a good reason for having proceed in this way, then.
> 
> Perhaps because this hasn't been done yet? If they have hardcoded
> non-configurable features, this may not be easy.

It can be a possibility, yes. True is that I neither have found more 
detailed information about this security flaw.

>> And now I think... I wonder if users running Lenny with any of these
>> packages installed and the default alias to the doc path are also
>> vulnerable.
> 
> I would say: probably.

The Mitre¹ site (updated recently) says "The default configuration of the 
apache2 package in Debian GNU/Linux squeeze before 2.2.16-6+squeeze7, 
wheezy before 2.2.22-4, and sid before 2.2.22-4 (...)", note the 
"before". Gee, I'm thinking in manually removing the alias block in the 
servers running Lenny where those packages are installed :-/

¹http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0216

Greetings,

-- 
Camaleón
Reply to: