httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jani Mikkonen <j...@mikkonen.org>
Subject Re: Suggestion for security tips page.
Date Wed, 28 Jan 2004 13:53:28 GMT
On Wed, 2004-01-28 at 15:38, Rich Bowen wrote:

> I'm somewhat torn on this one. a rule like this encourages people to do
> stupid things. Don't edit files on the live server.

There are other ways for these backup files to get into live server
too.. Think about someone editing files, then doing wildcarded cvs
import for the whole three with the backups and all (ofcourse this false
into the category: stupid things) and then each time live server checks
out the stuff, backups are there.

Or

Rsync whole directory structure to live.

> On the other hand (running out of hands here) where do we draw the line.
> Do we need a rule for vi swap files? MS Word swap files? Pico swap
> files?

My point for the post was that this should be told in the security tips
pages as it might not be obvious to everyone who starts to configure
apache the way they like it.  And most cases, there are different people
for writing the content files and for configuring apache. So you cannot
just eliminate stupidity without heavy larting and bofhing.

This didnt come to me as "yeah it would be fun to block these" but i
actually withnessed someone probing my homesite. That prober had created
a list of all files in my docroot with *.php extension and crawling thru
them and then sending requests with same filename and ~ at the end.


-- 
Jani Mikkonen <jani dot mikkonen at jippiigroup dot com>
ADVOGATO Profile: http://www.advogato.org/person/rasjani
Public key available from www.keyserver.net - ProPrivacy!

Mime
View raw message