httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lonnie <lonnie_smet...@umanitoba.ca>
Subject Re: Suggestion for security tips page.
Date Wed, 28 Jan 2004 14:41:05 GMT

>My point for the post was that this should be told in the security tips
>pages as it might not be obvious to everyone who starts to configure
>apache the way they like it.  And most cases, there are different people
>for writing the content files and for configuring apache. So you cannot
>just eliminate stupidity without heavy larting and bofhing.
>
>This didnt come to me as "yeah it would be fun to block these" but i
>actually withnessed someone probing my homesite. That prober had created
>a list of all files in my docroot with *.php extension and crawling thru
>them and then sending requests with same filename and ~ at the end.
>  
>
I've had some probes/attempted attacks recently also and I agree with 
Jani that a security tip in the documentation would be a good thing. I 
already had a rule in place in my httpd.conf file to prevent people from 
browsing files with ~ in the name but to newer admins it may not be an 
obvious thing to setup.

As Jani pointed out, there are a number of ways for potentially 
exploitable files to make their way onto the site. We have a lot of 
people that use Dreamweaver, which creates .tmp files if you try and 
preview a page (scripted or not). These files sometimes linger around 
and the potential for them being synchronized to the live site does exist.

I'd be willing to take a stab at writing a security tip for this 
particular instance if the consensus is that it would be useful.

-- 
Lonnie Smetana
Web Developer
University of Manitoba

v: 204.474.7228
e: lonnie_smetana@umanitoba.ca


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message