httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jani Mikkonen <>
Subject Suggestion for security tips page.
Date Tue, 02 Dec 2003 14:15:40 GMT

I have a little suggestion to add to the security tips page @ (ofcourse, it
will work with 1.3 too).

Atleast in the machines i've setup for apache use, i have a lot of
people doing the actual content to the webpages. Most if not all of
those webmasters use emacs to edit their pages. And as you know, by
default emacs creates a backup file to the same dir with the ~ character
at the end of the original filename. This a possible security breaches
when webmasters are editing script files (cgi/php/ssi/mod_perl stuff)
that might have have sensible data like passwords/ip addresses of
internal machines or something similar. And since execution of these
serverside scripting languages usually depend on extension of the
filename, filename such as "database_connection.php~" would not be
executed thru php module and thus the actual code could be read by
anyone knowning the url.

The obvious fix for this problem is to educate the webmasters not to
copy the stuff into live site OR erase the files after they are done but
this will most likely happen only after the temperature reaches 0C in
downstairs where the bsd mascot runs the show.

But to make things that these files are not presented to the user, i
allways check that my httpd.conf includes following:

<Files ~ "\~$">
    Order allow,deny
    Deny from all

I think this falls into a pretty much same category like the protection
of ^\.ht files, so propably this could be added to default configuration
file that ships with the source if it seems necessery ?

j a n i  at  m i k k o n e n  dot  o r g
Advogato profile:
Public PGP key from: - ProPrivacy!

View raw message