Full Disclosure mailing list archives
RE: apache browsing files
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Mon, 5 Jan 2004 15:27:30 -0600
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Valdis.Kletnieks () vt edu Sent: Monday, January 05, 2004 2:34 PM To: diego.veiga () embraer com br Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] apache browsing files On Mon, 05 Jan 2004 17:00:37 -0200, diego.veiga () embraer com br said:Is there a way for apache only browse files *.html or *.php not all files type in the browser adress?There probably is a directive for it.
There's more than one. You could edit IndexIgnore and add *.log to it (and whatever else you want - *.gif, *.jpg, whatever.) You could chown the logfiles to root and chmod them so only root could read them (which should be done for all logfiles anyway - at a minimum root:wheel rw-r----.) You could use "Options -Indexes" to turn automatic indexing off entirely. You could use "% touch index.html" for each directory on the web server to add a blank index file.
It won't help.
Maybe not, but I can think of legitimate reasons (note that I didn't say intelligent) to have logfiles web-viewable. If you're doing virtual hosting and you want each of the sites you host to have access to their logs without having to give them shell access, you may chose to do it this way. Of course, you wouldn't have the main apache logs there, and you'd want to configure logging so it only gave the website owners useful information without giving away the farm. You may also want to use .htaccess to force a login to view those logs. But there are better ways to provide statistical information to website owners (weblog.pl, webalizer, etc.) if that's what the goal is.
It would require that the same sites that aren't able to change the config to a secure mode (by putting the logs elsewhere)
Ummm...if you're running apache, the config (wrt location of logs - usually either /var/log or /var/log/http/logs/) is secure by default. You'd have to *change* the default to have the logs web-viewable, so there has to be some decision-making going on here (not the best decision-making, perhaps, but decision-making nonetheless.) First you'd have to change the default location of the logs. Then you'd have to change the default ownership and/or group of the logs and/or make them world-viewable.
would have to change the config to add a directive that worked around their original misconfiguration. If they're going to change the config *anyhow*, they should just fix the base problem rather than hack around it.
Well, it isn't a mis-configuration. A poorly thought out configuration perhaps. But not a misconfiguration. A misconfiguration should result in errors when running "% apachectl configtest". A poor configuration would result in no errors but would expose the website and/or server to unnecessary risk. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- apache browsing files diego . veiga (Jan 05)
- Re: apache browsing files Valdis . Kletnieks (Jan 05)
- Re[2]: apache browsing files Chris (Jan 05)
- <Possible follow-ups>
- RE: apache browsing files Schmehl, Paul L (Jan 05)
- Re: apache browsing files Valdis . Kletnieks (Jan 05)