janat_private wrote: > Sorry, if already known (not found anywhere or even heared about): > > At the beginning of the week (after the release of apache 1.2.5) > we discoverd a DoS attack in apache and (eventually) other / all (?) > httpd's. Many thanks to Bernard "sendmail" Steiner <bsat_private>, > who got the important idea. > > For apache 1.2.x (and very sure all versions before), the > DoS may be exploited if both of the following conditions are true: > > - the intruder has (at least FTP) write access to (at least) > one HTML directory > > - per directory access (AccessFileName configuration directive) > is enabled and the filename is known to the intruder > (default is .htaccess) And (most important): - AllowOverride has been set up to allow AuthConfig overrides in an untrusted users directory. This is a serious configuration error. AllowOverride can be used to give users access to very considerable portions of the server setup. Untrusted users should have no (or strictly limited) access to the server configuration. Fully enabled .htaccess files can easily be abused to lock up or bring down the server or circumvent security restrictions in many different ways! > (...) > possible fixes: > > a) workaround > > Disable .htaccess in srm.conf by commenting out AccessFileName: > (default is NULL in the apache distribution, e.g. disabled) > > #AccessFileName .htaccess A more reasonable workaround than disabling access restrictions for all users or trying to patch the server against handling unsafe files would be not to allow AuthConfig overrides for untrusted users. There should be no need to allow users to specify their own password file anyway - the name and location provided by the server administration is fully sufficient.AllowOverride can and should be set to None or Limit unless you have very good reasons to give the user more access to the server configuration - AuthConfig can (apart from the described DoS attacks) be abused for password probing and all other overrides (Options, FileInfo and Indexes) can be abused to publish any document readable by the server process. regards Sevo -- Sevo Stille sevoat_private Web Department inm numerical magic GmbH Tel: ++49 (69) 9419630 Daimlerstrasse 32 Fax: ++49 (69) 94196322 D 60314 Frankfurt a.M.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:39:14 PDT