Might be too late for 1.3.28, but I'd love some comments.
- Changes defaults to disallow access to files unless explicitly allowed.
- Turns off CGICommandArgs
I haven't seen any scripts that still use this, but have come across
more than a handful of scripts that were vulnerable. And this is the
reason that PHP jumps through so many hoops in its CGI mode. It is
counterintuitive that environment variables would override command line
arguments in PHP, but the default of CGICommandArgs on is the reason.
- On unix httpd-conf-dist, does not allow Emacs autosave or temporary files
to be served (along with not allowing .ht* files). Emacs keeps the same
permission on its temp files, which is a poor choice. (vi restricts
permission to owner on its .swp files.) Also gives a commented out example
that additionally disallows *.bak, *.old, *.so, *.a, and *.o files.
OAM, would someone please give some feedback on the server-side include
patches for Apache2 that I posted last month? Thanks.
Cheers,
Glenn
diff -ru apache_1.3.27/conf/highperformance.conf-dist
apache_1.3.27.new/conf/highperformance.conf-dist
--- apache_1.3.27/conf/highperformance.conf-dist 2001-08-29 09:32:07.000000000
-0400
+++ apache_1.3.27.new/conf/highperformance.conf-dist 2003-06-24 14:00:04.000000000
-0400
@@ -33,14 +33,18 @@
# this if you need logging.
#TransferLog logs/access_log
+# Never pass query string arguments as command line arguments to CGI.
+# (Args are passed on the command line if the query string does not contain
+# an '=' and CGICommandArgs on, the default if omitted for backwards compat)
+CGICommandArgs off
+
# Disable symlink protection and htaccess files, they chew far too much.
<Directory />
AllowOverride none
Options FollowSymLinks
- # If this was a real internet server you'd probably want to
- # uncomment these:
- #order deny,allow
- #deny from all
+ order deny,allow
+ deny from all
+ # you'll need to "allow" access to files you want to serve. see below
</Directory>
# If this was a real internet server you'd probably want to uncomment this:
diff -ru apache_1.3.27/conf/httpd.conf-dist apache_1.3.27.new/conf/httpd.conf-dist
--- apache_1.3.27/conf/httpd.conf-dist 2002-09-04 00:39:41.000000000 -0400
+++ apache_1.3.27.new/conf/httpd.conf-dist 2003-06-24 14:16:31.000000000 -0400
@@ -289,6 +289,7 @@
<Directory />
Options FollowSymLinks
AllowOverride None
+ deny from all
</Directory>
#
@@ -376,7 +377,8 @@
# Also, folks tend to use names such as .htpasswd for password
# files, so this will protect those as well.
#
-<Files ~ "^\.ht">
+#<Files ~ "^\.ht|^#.*#$|~$|\.bak$|\.old$|\.so$|\.a$|\.o$">
+<Files ~ "^\.ht|^#.*#$|~$">
Order allow,deny
Deny from all
Satisfy All
@@ -523,6 +525,12 @@
# EBCDICConvertByType Off=InOut */*
+# Never pass query string arguments as command line arguments to CGI.
+# (Args are passed on the command line if the query string does not contain
+# an '=' and CGICommandArgs on, the default if omitted for backwards compat)
+CGICommandArgs off
+
+
#
# Aliases: Add here as many aliases as you need (with no limit). The format is
# Alias fakename realname
diff -ru apache_1.3.27/conf/httpd.conf-dist-nw
apache_1.3.27.new/conf/httpd.conf-dist-nw
--- apache_1.3.27/conf/httpd.conf-dist-nw 2002-09-13 18:02:48.000000000 -0400
+++ apache_1.3.27.new/conf/httpd.conf-dist-nw 2003-06-24 14:03:58.000000000 -0400
@@ -249,6 +249,7 @@
<Directory />
Options FollowSymLinks
AllowOverride None
+ deny from all
</Directory>
#
@@ -469,6 +470,11 @@
#
ServerSignature On
+# Never pass query string arguments as command line arguments to CGI.
+# (Args are passed on the command line if the query string does not contain
+# an '=' and CGICommandArgs on, the default if omitted for backwards compat)
+CGICommandArgs off
+
#
# Aliases: Add here as many aliases as you need (with no limit). The format is
# Alias fakename realname
diff -ru apache_1.3.27/conf/httpd.conf-dist-win
apache_1.3.27.new/conf/httpd.conf-dist-win
--- apache_1.3.27/conf/httpd.conf-dist-win 2002-09-04 00:39:41.000000000 -0400
+++ apache_1.3.27.new/conf/httpd.conf-dist-win 2003-06-24 14:03:24.000000000 -0400
@@ -311,6 +311,7 @@
<Directory />
Options FollowSymLinks
AllowOverride None
+ deny from all
</Directory>
#
@@ -564,6 +565,11 @@
# (Unix behavior) option, and will override this server default option.
#
+# Never pass query string arguments as command line arguments to CGI.
+# (Args are passed on the command line if the query string does not contain
+# an '=' and CGICommandArgs on, the default if omitted for backwards compat)
+CGICommandArgs off
+
#
# Aliases: Add here as many aliases as you need (with no limit). The format is
# Alias fakename realname
