[Full-Disclosure] apache browsing files
Schmehl, Paul L
pauls at utdallas.edu
Mon Jan 5 21:27:30 GMT 2004
> -----Original Message-----
> From: full-disclosure-admin at lists.netsys.com
> [mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of
> Valdis.Kletnieks at vt.edu
> Sent: Monday, January 05, 2004 2:34 PM
> To: diego.veiga at embraer.com.br
> Cc: full-disclosure at lists.netsys.com
> Subject: Re: [Full-Disclosure] apache browsing files
> On Mon, 05 Jan 2004 17:00:37 -0200, diego.veiga at embraer.com.br said:
> > Is there a way for apache only browse files *.html or *.php not all
> > files type in the browser adress?
> There probably is a directive for it.
There's more than one. You could edit IndexIgnore and add *.log to it
(and whatever else you want - *.gif, *.jpg, whatever.) You could chown
the logfiles to root and chmod them so only root could read them (which
should be done for all logfiles anyway - at a minimum root:wheel
rw-r----.) You could use "Options -Indexes" to turn automatic indexing
off entirely. You could use "% touch index.html" for each directory on
the web server to add a blank index file.
>It won't help.
Maybe not, but I can think of legitimate reasons (note that I didn't say
intelligent) to have logfiles web-viewable. If you're doing virtual
hosting and you want each of the sites you host to have access to their
logs without having to give them shell access, you may chose to do it
this way. Of course, you wouldn't have the main apache logs there, and
you'd want to configure logging so it only gave the website owners
useful information without giving away the farm. You may also want to
use .htaccess to force a login to view those logs. But there are better
ways to provide statistical information to website owners (weblog.pl,
webalizer, etc.) if that's what the goal is.
> It would require that the same sites that aren't able to
> change the config to a secure mode (by putting the logs
Ummm...if you're running apache, the config (wrt location of logs -
usually either /var/log or /var/log/http/logs/) is secure by default.
You'd have to *change* the default to have the logs web-viewable, so
there has to be some decision-making going on here (not the best
decision-making, perhaps, but decision-making nonetheless.) First you'd
have to change the default location of the logs. Then you'd have to
change the default ownership and/or group of the logs and/or make them
> would have to change the config to add a directive
> that worked around their original misconfiguration. If
> they're going to change the config *anyhow*, they should just
> fix the base problem rather than hack around it.
Well, it isn't a mis-configuration. A poorly thought out configuration
perhaps. But not a misconfiguration. A misconfiguration should result
in errors when running "% apachectl configtest". A poor configuration
would result in no errors but would expose the website and/or server to
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
Full-Disclosure is hosted and sponsored by Secunia.