Introduction to the Apache Web Server - ApacheCon

More documents

Recommendations

Info

19.3.3 ServerSignature Automatically-generated error documents - such as when you go to a bad URL, or get a server error - have server information in them which looks a lot like the Server: headers. However, the information here is controled by a different directive. ServerSignature can be set to On, which returns the server information, Off, which does not, or Email which additionally adds the email address supplied in the ServerAdmin directive, with a mailto: link. On all versions prior to 2.0.44, the server information returned is the server version number and the ServerName. With version 2.0.44 and later, ServerSignature will return the details specified by the ServerTokens directive. ServerTokens default settings Although the default value of this directive is Off, the default configuration file sets it to On. 19.4 SSI Server Side Includes, which will be discussed in an upcoming chapter, can be a significant security risk. When enabling SSI, remember that you are allowing someone to execute arbitrary commands on your server. If that doesn’t give you pause, then you’re entirely too trusting. Don’t enable SSI unless you need to. If you need to, then enable it for the smallest possible scope of directories. And, if possible, use IncludesNoExec rather than Includes as your Options setting. The only saving grace here is that the arbitrary commands are executed by the Apache user, who, hopefully, doesn’t own any content on your server, as specified in the section above on file permissions. 19.5 CGI As with SSI, CGI allows people to execute arbitrary code on your server. You should, therefore, be very frightened. This is much more flexible than SSI, though, because people can write arbitrarily complex programs in any language, and execute them on your server. You should see the suexec section later for details about running CGI programs as other users, but by default, CGI programs are run as the user and group specificed in the User and Group directives. As with SSI, you should limit as much as possible the directories in which CGI execution is permitted. If possible, allow CGI execution in ScriptAlias directories only, as this will ease the burden of auditing code, since you won’t have to go hunting for it. Poorly written CGI programs are the easiest, fastest, and most common way to break into an Apache server, or to exploit the resources of an Apache server to do various things like send spam by proxy. 120
19.5.1 CGI exploit example - trusting form input One of the most common CGI exploit categories involved accepting data from HTML forms and trusting it. Remember that the user cannot be trusted. Like your mother always told you, don’t put that in your command, you don’t know where it’s been. Consider the following scenario. You have a form on your web site, which allows users to send you feedback email. Within your CGI code is something like the following: open MAIL, "|/usr/bin/sendmail -s $FORM’subject’ $FORM’to’"; print MAIL $FORM’body’; print MAIL "\n\n.\n\n"; close MAIL; Looks pretty straightforward. Data comes in from the form fields subject, to, and body, and this gets passed off to sendmail, which delivers the email. Email is composed to the address in to with a subject line of subject and a body of body, all specified in the form. There are two problems here. The first is that a clever (or not-so-clever, really) spammer can use this form to send as many email messages as they want, to whomever they want, by posting data to your CGI program. Since that email will come from your server, you will appear to be responsible for that email. The second problem is a little more subtle, and much more dangerous. It has to do with the awful way that the code here is calling sendmail. Rather than using a module/library to send the email, it is calling the system executable, and passing arguments to it. This is universally a bad idea, because it allows a clever person to circumvent your command line and insert their own. Consider, for example, if I enter into the form field to the value: bob@foo.com ; rm -rf / The first part of this is an email address. Great. But then I have the character ;, which terminates the command and starts a new one. At a regular command line, the ; character allows you to type multiple commands in the same line. Since your code is calling the command line, the same rules apply. So putting this in the form field will cause the sendmail command to be abandoned, and my other command to be executed, recursing through the entire file system deleting any file that I happen to have access to. Fortunately for the hackers, there are several rather popular (read: widely installed) CGI programs that do exactly that, and so all that they need to do is write scripts that attempt to put these sorts of arguments into web forms and see if they can do anything. 19.5.2 CGI exploit example - hidden form fields Hidden form fields are not hidden. This is another example of cosmetic security. * Hidden form fields are not hidden. 121
Page 1:
Introduction to the Apache Web Serv
Page 4 and 5:
3.1 Apache process architecture . .
Page 6 and 7:
8.3 Alias . . . . . . . . . . . . .
Page 8 and 9:
13 SSI 75 13.1 Configuration for SS
Page 10 and 11:
16.5 Typical errors . . . . . . . .
Page 12 and 13:
19.8 Modules . . . . . . . . . . .
Page 14 and 15:
23.1 Caching . . . . . . . . . . .
Page 16 and 17:
He wrote the CERN web server, and t
Page 18 and 19:
• provide a foundation for open,
Page 20 and 21:
This is a good point to encourage d
Page 22 and 23:
• htdocs • icons Show the stude
Page 24 and 25:
./configure --help ./configure --pr
Page 26 and 27:
2.6 apxs apxs is a Perl utility for
Page 28 and 29:
The “correct” value for these d
Page 30 and 31:
• Some modules, like mod php, don
Page 32 and 33:
• help apachectl symlink You may
Page 35 and 36:
Section 4 Configuration files http:
Page 37 and 38:
directory - Can be used in a secti
Page 39 and 40:
httpd -DUSESSL Then you could add a
Page 41 and 42:
Section 5 .htaccess files 5.1 Confi
Page 43:
5.3 Exercise Create .htaccess file
Page 46 and 47:
ServerName www.foo.com DocumentRoot
Page 48 and 49:
3. Verify that they are serving con
Page 51 and 52:
Section 7 MIME http://httpd.apache.
Page 53 and 54:
AddType application/x-tar tgz Note
Page 55 and 56:
7.4.3 mod gzip More will be said ab
Page 57 and 58:
Section 8 URL Mapping http://httpd.
Page 59 and 60:
Equivalent to ... Alias /cgi-bin/ /
Page 61 and 62:
Then /cgi-bin/404.cgi will look lik
Page 63 and 64:
----------------------------- The
Page 65:
UserDir disabled UserDir enabled rb
Page 68 and 69:
9.2 Negotiation Methods 9.2.1 Multi
Page 70 and 71:
Note, however, that CacheNegotiated
Page 72 and 73:
10.3 IndexOptions The arguments to
Page 74 and 75:
10.4 Additional directives In addit
Page 77 and 78:
Section 11 Performance Tuning http:
Page 79 and 80:
11.5 Tuning configuration settings
Page 81:
11.5.6 mod mmap static Map static f
Page 84 and 85: - JSP - etc, etc, etc • Each addr
Page 86 and 87: #!/usr/bin/perl use CGI; my $cgi =
Page 89 and 90: Section 13 SSI http://httpd.apache.
Page 91 and 92: SSIStartTag "" 13.4 SSI directives
Page 93: Most commonly, include is used to i
Page 96 and 97: SetHandler Much like the AddHandler
Page 98 and 99: advertising a page that has moved,
Page 100 and 101: AddHandler type-map .var 14.1.3 Cus
Page 102 and 103: AddOutputFilterByType DEFLATE text/
Page 104 and 105: 15.4 Configuration 15.4.1 PerlRequi
Page 106 and 107: Wow. 15.6.2 Apache::Registry If you
Page 108 and 109: 15.8.2 Installing the example mod p
Page 110 and 111: package Acme::Apache::Werewolf; use
Page 112 and 113: • "GET / HTTP/1.0" Request - Meth
Page 114 and 115: 16.4 Exercises 1. Construct a log f
Page 116 and 117: • Precisely how many visitors •
Page 118 and 119: 16.9.2 rotatelogs CustomLog "|/usr/
Page 120 and 121: • Set configuration to use this f
Page 122 and 123: • mod auth nds (Netware Directory
Page 124 and 125: 110
Page 126 and 127: • etc • Also, names like ’ema
Page 128 and 129: 114
Page 130 and 131: 19.2 File permissions The overridin
Page 132 and 133: 19.2.6 public html If users have we
Page 136 and 137: * Don’t put important things in t
Page 138 and 139: 19.10 mod security http://www.modse
Page 140 and 141: 126
Page 142 and 143: 20.3 Certificates • Generate a ke
Page 144 and 145: 130
Page 146 and 147: 21.1.2 Apache 2.0 modules: [access
Page 148 and 149: 21.6 mod auth Name mod auth On by d
Page 150 and 151: 21.13 mod cgi Name mod cgi On by de
Page 152 and 153: 21.21 mod include Name mod include
Page 154 and 155: Mapping files into memory to improv
Page 156 and 157: 21.35 mod status Name mod status On
Page 158 and 159: To enable DAV in a particular direc
Page 160 and 161: 23.2 Proxying The proxy part lets y
show all

Introduction to the Apache Web Server - ApacheCon

Create successful ePaper yourself

Delete template?

Save as template?