httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vincent Deffontaines <vinc...@gryzor.com>
Subject Fw: Documentation for mod_authn_dbd from a security point of view
Date Wed, 02 Jan 2013 12:55:40 GMT
Greetings apache-doc,

Forwarding an email exchange I have had with niq, suggestions
and more ideas welcome !
I started adding information into trunk's documentation for
mod_ahtn_dbd, will do more and backport to 2.4 after discussion.

gryzor

----- Message Transféré -----

Date: Mon, 31 Dec 2012 20:40:12 +0000
De: Nick Kew <nick@webthing.com>
À: Vincent Deffontaines <vincent@gryzor.com>
Sujet: Re: Documentation for  mod_authn_dbd from a security point of
view


On Mon, 31 Dec 2012 19:15:26 +0100
Vincent Deffontaines <vincent@gryzor.com> wrote:

> Hi Niq,
> 
> I am writing to you because you are the original author of that
> documentation. I tend to find the 2.4 doc for that module a bit
> incomplete (same for trunk).
> 
> I am talking about :
> http://httpd.apache.org/docs/trunk/en/mod/mod_authn_dbd.html
> http://httpd.apache.org/docs/trunk/en/mod/mod_dbd.html
> 
> I have read mod_authn_dbd and mod_dbd docs in detail before writing
> this (actually, on the process of submitting .fr translations), but I
> have zero admin/dev experience with those modules, so please forgive
> my naive questions or statements.
> 
> The mod_authn_dbd doc states things like :
> AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
> 
> Which will make any [competent] admin wonder or worry about
> security/SQL injection.
> 
> I am aware that mod_dbd's documentation has some statements about
> security. However, I believe we could make the situation better by
> adding notes about SQL injection in the mod_authn_dbd directly, should
> it just be just a pointer to mod_dbd's info.

We can't say either that it is or isn't safe, because it depends on
the driver.

> I also believe the mod_dbd doc is not quite sufficient. I read : 
> "In most cases, Apache DBD is safe, because applications use prepared
> statements, and untrusted inputs are only ever used as data".

I guess that's a bit too strong.  Maybe it should be qualified as
"... as safe as the application ...".  In the case of authn that
means safe, provided the driver is safe.

>    So, is
> mod_authn_dbd safe in that regard ? I would hint it is, but currently
> the docs give no clue about it. So if mod_authn_dbd is known to be
> safe for SQL injection, we should state it in its documentation, and
> maybe list known to be safe modules in mod_dbd's doc ?

If you want to add a section to mod_authn_dbd (good idea), it needs
an explanation something like:

Q: What do I need to do to protect my server from SQL Injection?
A: It depends on what DBD driver and backend you use.  With most
   drivers you don't have to do anything: the statement is prepared
   by the database at startup, and user input is used only as data.
   But you may need to untaint your input.  At the time of writing,
   the only driver that requires you to take care is FreeTDS.

> Or maybe should be introduced the use of taint checking directly in
> mod_authn_dbd's doc ?
> 
> I will be happy to commit security notes myself, when I have read your
> opinion about these :) I will also make you read what I stated, to be
> sure it is accurate.

Do you mind if I post this to the docs list?
More eyes make for better docs.

-- 
Nick Kew


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message