WebApp Sec: RE: htaccess with apache

From: Dinis Cruz <dinis_at_ddplus.net>
Date: Mon, 10 Nov 2003 18:35:04 -0000

Very interesting thread, unfortunately I can't add my ideas and
suggestions since currently I'm more involved with Asp.Net and IIS
security.

But it seams to me that given the complexity of web application
deployment is it a certainty that configuration errors will occur (event
the most experiment and competent sysadmins make occasional mistakes).

I think that the best solution is to have tools that test the servers
security configuration (from the inside) and help those administrators
to fix the problems identified.

I created such tool for the IIS environment (Asp.Net Security Analyser),
and would be very interested to know if anybody as developed a similar
tool for the Linux/Apache environments.

Best regards

Dinis Cruz
.Net Security Consultant
DDPlus (www.ddplus.net)

NOTE: I'm also Portuguese! Currently I live in London, but It is
definitely a small world we live in :) .

> -----Original Message-----
> From: MTeixeira_at_njtransit.com [mailto:MTeixeira_at_njtransit.com]
> Sent: Wednesday, November 05, 2003 6:36 PM
> To: vasco_at_all-2-it.com; webappsec_at_securityfocus.com
> Subject: RE: htaccess with apache
>
>
> I agree with Antonio. Just because the default is to allow
> it, it doesn't mean it should be left alone. Unfortunately,
> it's the case with many other issues where the default isn't
> good enough.
>
> P.S. Viva portugal :)
>
> MIGUEL A. TEIXEIRA
> NJ Transit\\\ Corporation Information Services
> One Penn Plaza East, Newark, NJ 07105-2246
> v: 973.491.8153 f: 973.491.7511
> mteixeira_at_njtransit.com
> www.njtransit.com
>
>
> -----Original Message-----
> From: António Vasconcelos [mailto:vasco_at_all-2-it.com]
> Sent: Wednesday, November 05, 2003 8:22 AM
> To: webappsec_at_securityfocus.com
> Subject: Re: htaccess with apache
>
>
> Tim Greer wrote:
>
> >
> >
> >
> >>MORE IMPORTANTLY,
> >>/etc/passwd shouldn't be readable by the CGI server!
> >>
> >>
> >
> >Sure it should be! The default permissions (that are safe
> too) are 644
> >for this file. Are you thinking of shadow or master.passwd???
> >
> >
> It shouldn't...
> There is no need for nobody/nobody to read /etc/passwd file.
> Of course
> that the passwords are in /etc/shadow but I see no reason to show
> everyone (or nobody in this case, hehehe) the list of users
> and it's shells. Yes, the default permssions will allow user
> nobody to do just that,
> that's why there are unix'es were you can setup extended
> permissions for
> any file.
>
> --
>
> António Vasconcelos
> /(Administrador de Sistemas)
> ALL2IT-Infocomunicações, SA
> Torre de Monsanto, 6º Piso
> Miraflores, Algés
> PORTUGAL
> Telf.: + 351 21 412 39 50
> Fax.: + 351 21 410 51 94/
>
>
>
> *CONFIDENCIAL*: Esta mensagem contém informação confidencial
> ou material
> privilegiado, e é só intencionada para os seus destinatários.
> De acordo
> com a lei em vigor, se um erro originou que tenha recebido
> esta mensagem
> por engano pedimos que, de imediato, notifique o remetente e
> a apague do
> seu sistema sem a reproduzir.
> *CONFIDENTIAL*: This e-mail contains proprietary
> information, some or
> all of which may be legally privileged. It is for the intended
> recipients only. According to the law in force, if an addressing or
> transmission error has misdirected this e-mail, please notify
> the author
> by replying to this e-mail and delete it from your system without
> retaining a copy.
>
>
>
>
> ..............................................................
> .....................
> Scanned OK by ALL-2-IT Anti-Virus Gateway
>
>
Received on Nov 11 2003