Return-Path: Delivered-To: apmail-httpd-docs-archive@www.apache.org Received: (qmail 20518 invoked from network); 28 Jan 2004 15:46:45 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 28 Jan 2004 15:46:45 -0000 Received: (qmail 93366 invoked by uid 500); 28 Jan 2004 14:40:14 -0000 Delivered-To: apmail-httpd-docs-archive@httpd.apache.org Received: (qmail 93345 invoked by uid 500); 28 Jan 2004 14:40:14 -0000 Mailing-List: contact docs-help@httpd.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Reply-To: docs@httpd.apache.org Delivered-To: mailing list docs@httpd.apache.org Received: (qmail 93321 invoked from network); 28 Jan 2004 14:40:14 -0000 Message-ID: <4017CA01.606@umanitoba.ca> Date: Wed, 28 Jan 2004 08:41:05 -0600 From: Lonnie User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: docs@httpd.apache.org Subject: Re: Suggestion for security tips page. References: <1075298008.3803.13.camel@kone-12.hertz.jippii.com> In-Reply-To: <1075298008.3803.13.camel@kone-12.hertz.jippii.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N >My point for the post was that this should be told in the security tips >pages as it might not be obvious to everyone who starts to configure >apache the way they like it. And most cases, there are different people >for writing the content files and for configuring apache. So you cannot >just eliminate stupidity without heavy larting and bofhing. > >This didnt come to me as "yeah it would be fun to block these" but i >actually withnessed someone probing my homesite. That prober had created >a list of all files in my docroot with *.php extension and crawling thru >them and then sending requests with same filename and ~ at the end. > > I've had some probes/attempted attacks recently also and I agree with Jani that a security tip in the documentation would be a good thing. I already had a rule in place in my httpd.conf file to prevent people from browsing files with ~ in the name but to newer admins it may not be an obvious thing to setup. As Jani pointed out, there are a number of ways for potentially exploitable files to make their way onto the site. We have a lot of people that use Dreamweaver, which creates .tmp files if you try and preview a page (scripted or not). These files sometimes linger around and the potential for them being synchronized to the live site does exist. I'd be willing to take a stab at writing a security tip for this particular instance if the consensus is that it would be useful. -- Lonnie Smetana Web Developer University of Manitoba v: 204.474.7228 e: lonnie_smetana@umanitoba.ca --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org For additional commands, e-mail: docs-help@httpd.apache.org