Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 63652 invoked from network); 16 Sep 2008 23:42:22 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 16 Sep 2008 23:42:22 -0000 Received: (qmail 70484 invoked by uid 500); 16 Sep 2008 23:42:08 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 70473 invoked by uid 500); 16 Sep 2008 23:42:08 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 70462 invoked by uid 99); 16 Sep 2008 23:42:08 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Sep 2008 16:42:08 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [64.119.172.159] (HELO source2.sourcedns1.com) (64.119.172.159) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Sep 2008 23:41:09 +0000 Received: from [209.90.182.97] (port=43008 helo=office.runic-hosting.com) by source2.sourcedns1.com with esmtpa (Exim 4.69) (envelope-from ) id 1KfkGL-0003Xz-Jo for users@httpd.apache.org; Tue, 16 Sep 2008 19:47:17 -0400 Message-ID: <48D04431.7060007@jaqui-greenlees.net> Date: Tue, 16 Sep 2008 16:41:37 -0700 From: "J. Greenlees" User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080715 SeaMonkey/1.1.11 MIME-Version: 1.0 To: users@httpd.apache.org References: <182715EE-1D49-459A-9498-F6ECCCE6284F@webthing.com> In-Reply-To: <182715EE-1D49-459A-9498-F6ECCCE6284F@webthing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - source2.sourcedns1.com X-AntiAbuse: Original Domain - httpd.apache.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - jaqui-greenlees.net X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Directory hiding Nick Kew wrote: > > On 16 Sep 2008, at 06:57, Hugh E Cruickshank wrote: > >> That may be the case but their recommendation is still: Issue a "404 - >> Not Found" response status code for a forbidden resource, or remove it >> completely. > > Either they're wrong or you're misreading. > > But I can see what's happening. It's "chinese whispers", starting from > the CIS benchmark. Most likely someone along the way (IBM's tech > writer's boss or somesuch) insisted that a meaningful explanation > would be too difficult for their lusers, and either didn't understand or > didn't care that it's misleading. > > Security by Cookery. BTDT. I can feel a blog entry coming on. > ~chuckle~ Technically, cooking is following a detailed set of instructions, one set for each item being cooked, so it's not quite as bad as it sounds. I don't disagree with the conclusion in this particular case, hiding filesystem structure in the documentroot is not an improvement in security. I'm always concerned with security issues, but it's in the app code and data verification that I see as being where to focus my attention. At least until such time as updated underlying technologies are implimented to address the security issues. Since the internet was built at a time and in an environment where security wasn't a concern at all, the core technologies need to be rebuilt with security as a priority. That would probably impact the HTTP Server and many other projects, requiring a lot of work to have them function with the new system(s) properly. Jaqui --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org