httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: Minor security issue in httpd.conf - .your_domain.com
Date Wed, 04 Apr 2001 17:19:10 GMT
Greg Stein wrote:
> 
> This is not a security issue. security@apache.org is for reporting security
> defects in ASF software. Configuration issues do not count.
> 
> However, this does point to a basic problem in our .conf file. We should be
> using the example.com domain throughout our .conf and documentation files.
> That domain exists solely to be used in RFCs, docs, etc for examples... no
> hosts will resolve.
> 
> (it is registered to the IANA in perpetuity, for this situation)

Actually, IMO, you should use an illegal name (which we did, so I'm
puzzled - your_domain.com doesn't [and, in theory, can't] resolve, but
your-domain.com does...).

Cheers,

Ben.

> 
> Cheers,
> -g
> 
> On Thu, Apr 05, 2001 at 01:29:06AM -0700, Gary Bickford wrote:
> > Folks,
> >
> > I was just fixing up a new copy of Apache, and when I was editing the
> > /server-info feature, I forgot to fix the domain name in this section:
> >
> > <Location /server-info>
> >     SetHandler server-info
> >     Order deny,allow
> >     Deny from all
> >     Allow from .your_domain.com
> > </Location>
> >
> > Of course, the Allow from line should read something like this:
> >     Allow from 127.0.0.1
> > But I was in a hurry and just uncommented these lines out.  I didn't change
> > the domain name until I noticed that I couldn't get to the server-info page.
> > If I hadn't done this check, I might not have noticed this.
> >
> > I looked on the net, and sure enough there is an existing web site at
> > www.your_domain.com.  This means that anyone who is behind that doman name
> > could see the server info for my web server.  This could well be a common
> > oversight for both newbies and folks who've done the Apache install one too
> > many times.
> >
> > I suggest that you change your_domain.com to something safer such as
> > 127.0.0.1, or something that is put in during configuration, or to some
> > impossible domain name.
> >
> > It may be that all the folks at your_domain.com are both wonderful and
> > unknowing about this, but I'd rather not test that hypothesis even though
> > this isn't a very big security problem in any case.
> >
> > Thanks for a great product!
> > Gary Bickford
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: security-unsubscribe@apache.org
> > For additional commands, e-mail: security-help@apache.org
> 
> --
> Greg Stein, http://www.lyra.org/
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: security-unsubscribe@apache.org
> For additional commands, e-mail: security-help@apache.org

--
http://www.apache-ssl.org/ben.html

In SF until 21st April - http://ApacheCon.com/

Mime
View raw message