apache2 2.2 security
This is a discussion on apache2 2.2 security within the Linux Web Servers forums, part of the Web Server and Related Forums category; Hi. I'm facing a problem on wich I can't find a solution. I got a server with multiples ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-28-2008
|
|||
|
|||
apache2 2.2 security
Hi. I'm facing a problem on wich I can't find a solution. I got a server with multiples vhosts. recently a bug was discovered on "struts2" (http://struts.apache.org/2.0.14/docs/s2-004.html) and I'd like to protect quickly all site on my server before applying a correction on applications. To do this, I would like to add a directive like <Directory ".."> Order allow,deny Deny from all </Directory> ie : if uri contains two consecutive dot (".."), access is denied. It works corectly except for example if a vhost redefine something like that : <Location / > ..... </Location> apache documentation confirm this : "Sections inside <VirtualHost> sections are applied after the corresponding sections outside the virtual host definition. This allows virtual hosts to override the main server configuration." (http://httpd.apache.org/docs/2.2/en/sections.html) I find this strange to allow a vhost to override a globally defined security rule, isn't it ? How can I do to globally filter some urls wahtever can be defined in a vhost ? I can't find any directive that match. I also tried : * RewriteEngine On RewriteRule ^.*\.\..*$ - [F,L] * RedirectMatch (.*)\.gif$ http://www.anotherserver.com$1.jpg but those directive seems to not be applied on a vhost if defined globally. thanks in advance for your help. Mike |
|
11-30-2008
|
|||
|
|||
|
Re: apache2 2.2 security
On Fri, 28 Nov 2008 15:36:08 +0100
Mike Baroukh <mbaroukh@remove.cardiweb.com> wrote: > > Hi. > > I'm facing a problem on wich I can't find a solution. > > I got a server with multiples vhosts. > recently a bug was discovered on "struts2" > (http://struts.apache.org/2.0.14/docs/s2-004.html) and I'd like to > protect quickly all site on my server before applying a correction on > applications. > > To do this, I would like to add a directive like > > <Directory ".."> A <Directory> is a filesystem path, and is normalised before any <Directory> is applied. So the above will never match. > ie : if uri contains two consecutive dot (".."), access is denied. You're probably concerned about xxx/../yyy That's a non-issue, because apache normalises it out for you. If you really mean what you wrote, please explain how xxx..yyy (with no slashes) impacts your security. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/ |
|
12-01-2008
|
|||
|
|||
|
Re: apache2 2.2 security
Hi.
Thanks for your answer. > You're probably concerned about xxx/../yyy > That's a non-issue, because apache normalises it out for you. It is an issue for me as explained on http://struts.apache.org/2.0.14/docs/s2-004.html. It's not an apache Issue but a struts2 issue. But I'd like to protect from this rapidly because it will take some time to upgrade struts2 (I have many projects impacted). The problem if for uris like /struts/..%252f..%252f..%252fWEB-INF/web.xml I use mod_proxy_ajp and tjis uri is given "as is" to struts2. %25 if first replaced with "%" the %2f is replaced with "/". So there is a double unescape before the "/" appear. It is struts2 who serve the file so this is why it is not really an apache issue. By adding more "..%252f", I can retrieve files outside DocumentRoot. For now, I removed mapping of "/struts/*" uri's until I made an upgrade of struts2 but if there is an apache workaround, It would give me more time. > <Directory ".."> > A <Directory> is a filesystem path, and is normalised before > any <Directory> is applied. So the above will never match. Right. I made many tests and I thought this one was working ... Mike Nick Kew a écrit : > On Fri, 28 Nov 2008 15:36:08 +0100 > Mike Baroukh <mbaroukh@remove.cardiweb.com> wrote: > >> Hi. >> >> I'm facing a problem on wich I can't find a solution. >> >> I got a server with multiples vhosts. >> recently a bug was discovered on "struts2" >> (http://struts.apache.org/2.0.14/docs/s2-004.html) and I'd like to >> protect quickly all site on my server before applying a correction on >> applications. >> >> To do this, I would like to add a directive like >> >> <Directory ".."> > > A <Directory> is a filesystem path, and is normalised before > any <Directory> is applied. So the above will never match. > >> ie : if uri contains two consecutive dot (".."), access is denied. > > You're probably concerned about xxx/../yyy > That's a non-issue, because apache normalises it out for you. > > If you really mean what you wrote, please explain how xxx..yyy > (with no slashes) impacts your security. > |
|
12-01-2008
|
|||
|
|||
|
Re: apache2 2.2 security
Hi.
Thanks for your answer. > You're probably concerned about xxx/../yyy > That's a non-issue, because apache normalises it out for you. It is an issue for me as explained on http://struts.apache.org/2.0.14/docs/s2-004.html. It's not an apache Issue but a struts2 issue. But I'd like to protect from this rapidly because it will take some time to upgrade struts2 (I have many projects impacted). The problem if for uris like /struts/..%252f..%252f..%252fWEB-INF/web.xml I use mod_proxy_ajp and tjis uri is given "as is" to struts2. %25 if first replaced with "%" the %2f is replaced with "/". So there is a double unescape before the "/" appear. It is struts2 who serve the file so this is why it is not really an apache issue. By adding more "..%252f", I can retrieve files outside DocumentRoot. For now, I removed mapping of "/struts/*" uri's until I made an upgrade of struts2 but if there is an apache workaround, It would give me more time. > <Directory ".."> > A <Directory> is a filesystem path, and is normalised before > any <Directory> is applied. So the above will never match. Right. I made many tests and I thought this one was working ... Mike Nick Kew a écrit : > On Fri, 28 Nov 2008 15:36:08 +0100 > Mike Baroukh <mbaroukh@remove.cardiweb.com> wrote: > >> Hi. >> >> I'm facing a problem on wich I can't find a solution. >> >> I got a server with multiples vhosts. >> recently a bug was discovered on "struts2" >> (http://struts.apache.org/2.0.14/docs/s2-004.html) and I'd like to >> protect quickly all site on my server before applying a correction on >> applications. >> >> To do this, I would like to add a directive like >> >> <Directory ".."> > > A <Directory> is a filesystem path, and is normalised before > any <Directory> is applied. So the above will never match. > >> ie : if uri contains two consecutive dot (".."), access is denied. > > You're probably concerned about xxx/../yyy > That's a non-issue, because apache normalises it out for you. > > If you really mean what you wrote, please explain how xxx..yyy > (with no slashes) impacts your security. > |
Linear Mode
