httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@lyra.org>
Subject Re: Minor security issue in httpd.conf - .your_domain.com
Date Wed, 04 Apr 2001 08:43:25 GMT
This is not a security issue. security@apache.org is for reporting security
defects in ASF software. Configuration issues do not count.

However, this does point to a basic problem in our .conf file. We should be
using the example.com domain throughout our .conf and documentation files.
That domain exists solely to be used in RFCs, docs, etc for examples... no
hosts will resolve.

(it is registered to the IANA in perpetuity, for this situation)

Cheers,
-g

On Thu, Apr 05, 2001 at 01:29:06AM -0700, Gary Bickford wrote:
> Folks,
> 
> I was just fixing up a new copy of Apache, and when I was editing the 
> /server-info feature, I forgot to fix the domain name in this section:
> 
> <Location /server-info>
>     SetHandler server-info
>     Order deny,allow
>     Deny from all
>     Allow from .your_domain.com
> </Location>             
> 
> Of course, the Allow from line should read something like this:
>     Allow from 127.0.0.1
> But I was in a hurry and just uncommented these lines out.  I didn't change 
> the domain name until I noticed that I couldn't get to the server-info page.  
> If I hadn't done this check, I might not have noticed this.
> 
> I looked on the net, and sure enough there is an existing web site at 
> www.your_domain.com.  This means that anyone who is behind that doman name 
> could see the server info for my web server.  This could well be a common 
> oversight for both newbies and folks who've done the Apache install one too 
> many times.
> 
> I suggest that you change your_domain.com to something safer such as 
> 127.0.0.1, or something that is put in during configuration, or to some 
> impossible domain name.
> 
> It may be that all the folks at your_domain.com are both wonderful and 
> unknowing about this, but I'd rather not test that hypothesis even though 
> this isn't a very big security problem in any case.
> 
> Thanks for a great product!
> Gary Bickford
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: security-unsubscribe@apache.org
> For additional commands, e-mail: security-help@apache.org

-- 
Greg Stein, http://www.lyra.org/

Mime
View raw message