insecure default install on unix

This WebDNA talk-list message is from

2002

It keeps the original formatting. numero = 43144
interpreted = N
texte = Hi all,I was just going through some security checks on our OSX install of WebCatalog 4.5, and noticed that .inc file are served as raw source by Apache when requested directly by the browser.Many of the included WebMerchant templates are .inc files, and (at least in our case) most of our [include]'d templates we generate end in .inc as well. Anyone who guesses the filename of any .inc file in your vhost or WebCatalog directory will be able to view your webcat source. Depending on how cryptic your naming conventions are and the location of your .inc files, this could be either a gaping or microscopic security hole...We keep all our includes in Globals, so for the most part (I think/hope), we are immune to this problem. I haven't found a way to access files in http://server.com/cgi-bin/WebCatalogEngine/Globals/ through a web browser, I assume because of the additional Apache restrictions on anything inside cgi-bin...The fix is simple. Add these lines to your httpd.conf below the .db protect line and restart apache:deny from allThis causes apache to deny access to anything ending in .inc or .inc.gz, .inc old, etc. from web browsers, but does not prevent webcat from using them.Since .inc files are present in the default WebCat install, I highly recommend that the above (or something similar) be added to the default install of WebCatalog in the near future to protect those files from prying eyes.Anyway, I hope this raises some eyebrows for you OSX/Linux/Solaris/BSD admins out there, or at least those of you who aren't already apache experts.Later,Dale-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Associated Messages, from the most recent to the oldest:

Re: insecure default install on unix (John Peacock 2002) Re: insecure default install on unix (Donovan 2002) insecure default install on unix (Dale LaFountain 2002)

Hi all,I was just going through some security checks on our OSX install of WebCatalog 4.5, and noticed that .inc file are served as raw source by Apache when requested directly by the browser.Many of the included WebMerchant templates are .inc files, and (at least in our case) most of our [include]'d templates we generate end in .inc as well. Anyone who guesses the filename of any .inc file in your vhost or WebCatalog directory will be able to view your webcat source. Depending on how cryptic your naming conventions are and the location of your .inc files, this could be either a gaping or microscopic security hole...We keep all our includes in Globals, so for the most part (I think/hope), we are immune to this problem. I haven't found a way to access files in http://server.com/cgi-bin/WebCatalogEngine/Globals/ through a web browser, I assume because of the additional Apache restrictions on anything inside cgi-bin...The fix is simple. Add these lines to your httpd.conf below the .db protect line and restart apache:deny from allThis causes apache to deny access to anything ending in .inc or .inc.gz, .inc old, etc. from web browsers, but does not prevent webcat from using them.Since .inc files are present in the default WebCat install, I highly recommend that the above (or something similar) be added to the default install of WebCatalog in the near future to protect those files from prying eyes.Anyway, I hope this raises some eyebrows for you OSX/Linux/Solaris/BSD admins out there, or at least those of you who aren't already apache experts.Later,Dale-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Dale LaFountain

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Database Field Additions (2000) Follow-up to listfiles bug report ... (2003) Displaying photo attached to first record (1997) Keep away (1997) RePost: NAT and the CART (1999) PIXO support (1997) Email within tmpl ? (1997) date (1999) off topic and explorer (1997)</a></font> <font size="-1"><a href="page.dna?numero=108714">[WebDNA] shopping sites and the "old commerce tags" (2012)</a></font> <font size="-1"><a href="page.dna?numero=17377">Supressing Error Messages (1998)</a></font> <font size="-1"><a href="page.dna?numero=12172">Formulas.db + Users.db (1997)</a></font> <font size="-1"><a href="page.dna?numero=10972">Items XX to XX shown (1997)</a></font> <font size="-1"><a href="page.dna?numero=10143">2nd WebCatalog2 Feature Request (1996)</a></font> <font size="-1"><a href="page.dna?numero=14888">read and write you own cookies with webcat (1997)</a></font> <font size="-1"><a href="page.dna?numero=10776">Thanks Grant (1997)</a></font> <font size="-1"><a href="page.dna?numero=10260">WC2.0 Memory Requirements (1997)</a></font> <font size="-1"><a href="page.dna?numero=33143">Search Question (2000)</a></font> <font size="-1"><a href="page.dna?numero=10560">all records returned. (1997)</a></font> <font size="-1"><a href="page.dna?numero=16329">Re:WebCatalog/WebMerchant III (1998)</a></font> </div> </body> </html>