It is a very easy mistake to forget the AllowOverride directive in the Apache configuration file and leave a site rather wide-open. Unless the sysadmin is much more diligent than most, this would go undetected. This is just itching to surface at some inopportune time and give Bugzilla a big black-eye. It would be fairly simple to include a check in sanitycheck that would create an IFRAME or an <img> link in which a file forbidden by .htaccess was referenced. If the webserver retrieved the file, the contents of the file should indicate ... "WARNING - WEBSERVER SECURITY PROBLEM" while an inaccessible file would show either and access denied or a broken image link.
Created attachment 105291 [details] [diff] [review] Patch to sanitycheck.cgi Adds final check to sanitycheck indicating if .htaccess file is being ignored
... which means I guess I own it...
Assignee: justdave → bugreport
Priority: -- → P3
Target Milestone: --- → Bugzilla 2.18
Interesting: Did a spot check of a few known bugzilla sites and some had this messed up. I think this may warrent a crawler that does the following.... for each bugzilla install on list (like in Google)... fetch ... http://bugzilla.location/UPGRADING?What_follows_is_a_courtesy_security_check_see_http://bugzilla.mozilla.org/show_bug.cgi?id=178593 Then fetch ... http://bugzilla.location/data/params?This_is_a_courtesy_security_check_see_http://bugzilla.mozilla.org/show_bug.cgi?id=178593 And email the maintainer (if the param is set) if the webserver is badly enough misconfigured to return data/params.
Status: NEW → ASSIGNED
I think Gerv has already done that at least once....
I've already done this once for every public Bugzilla I could find at the time of the 2.16 release - and it took ages. I checked their version and level of vulnerability, and then mailed all the admins. But your idea is good, and might prevent these problems in future. Review of the patch: "...you have a serious security problem" is alarmist and non-explanatory. How about "If you see... below, your webserver is not set up to restrict important files from public access. This is a security risk. Please see the Bugzilla Guide section X.X for more details." The file should be a PNG (because it contains large areas of block colour) and not a JPG. That will make it look nicer. Also, it would be good if it didn't contain English text. "If you see a red rectange below..." - this would mean we could use a 1x1 pixel red PNG, and just use <img width="300" height="50"> to stretch it. I'm not convinced that sanitycheck.cgi is the best place for this - I'm sure many admins never run it. Can it go on editparams.cgi? Gerv
I really don't think that we want this. For a start, creating the .htaccess is optional anyway - its a localconfig param. Maybe we should print a Big Bad Warning if the user chooses not to access it? More importantly, we don't ship with a data/ directory, so you can't put the .jpg there... What we really should do is move data/ and localconfig out of the web tree. Theres a bug on doing that, somewhere. That would fix this issue permenantly. (We do this by 'moving' localconfig to data/, and then having a new config file which just contains the path to the data dir. People who need to know about that dir get it from Bugzilla::Config) Theres also a second issue, in that changes to .htaccess in checksetup aren't progogated on subsequent runs. We should probably fix that, somehow
Well, 2 of the 6 sites I spot-checked (just by starting from google) has this issue. Both administrators were very happy to be notified, so I stay out of prison :-) [more to the point, I don't fetch any of the touchy files when I check these] So, either I am spectacularly lucky at finding these, or a substantial number of sites out there are at risk. Something needs to be done. I am open to suggestions.
Bugzilla 2.20 feature set is now frozen as of 15 Sept 2004. Anything flagged enhancement that hasn't already landed is being pushed out. If this bug is otherwise ready to land, we'll handle it on a case-by-case basis, please set the blocking2.20 flag to '?' if you think it qualifies.
Target Milestone: Bugzilla 2.20 → Bugzilla 2.22
This would be more appropriate for checksetup than sanitycheck, sanitycheck is unlikely to improve the situation.
However, sanitycheck gets the opportunity to actually run the webserver rather than trying to out-guess it.
testserver.pl does such a check by trying to download localconfig. Do we want to include it in checksetup.pl?
No longer needed since testserver has a test for this.
Status: ASSIGNED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.