Status
()
People
(Reporter: bugreport, Assigned: bugreport)
Tracking
Details
Attachments
(2 attachments)
|
2.41 KB,
image/jpeg
|
Details | |
|
730 bytes,
patch
|
Details | Diff | Splinter Review |
new file data/warning.jpg
It is a very easy mistake to forget the AllowOverride directive in the Apache configuration file and leave a site rather wide-open. Unless the sysadmin is much more diligent than most, this would go undetected. This is just itching to surface at some inopportune time and give Bugzilla a big black-eye. It would be fairly simple to include a check in sanitycheck that would create an IFRAME or an <img> link in which a file forbidden by .htaccess was referenced. If the webserver retrieved the file, the contents of the file should indicate ... "WARNING - WEBSERVER SECURITY PROBLEM" while an inaccessible file would show either and access denied or a broken image link.
|
(Assignee) | |
Comment 1•16 years ago
|
||
Created attachment 105290 [details] new file data/warning.jpg
|
|
(Assignee) | |
Comment 2•16 years ago
|
||
Created attachment 105291 [details] [diff] [review] Patch to sanitycheck.cgi Adds final check to sanitycheck indicating if .htaccess file is being ignored
|
|
(Assignee) | |
Comment 3•16 years ago
|
||
... which means I guess I own it...
Assignee: justdave → bugreport
Priority: -- → P3
Target Milestone: --- → Bugzilla 2.18
|
|
(Assignee) | |
Comment 4•16 years ago
|
||
Interesting: Did a spot check of a few known bugzilla sites and some had this
messed up.
I think this may warrent a crawler that does the following....
for each bugzilla install on list (like in Google)...
fetch ...
http://bugzilla.location/UPGRADING?What_follows_is_a_courtesy_security_check_see_http://bugzilla.mozilla.org/show_bug.cgi?id=178593
Then fetch ...
http://bugzilla.location/data/params?This_is_a_courtesy_security_check_see_http://bugzilla.mozilla.org/show_bug.cgi?id=178593
And email the maintainer (if the param is set) if the webserver is badly
enough misconfigured to return data/params.
Status: NEW → ASSIGNED
|
||
Comment 5•16 years ago
|
||
I think Gerv has already done that at least once....
|
||
Comment 6•16 years ago
|
||
I've already done this once for every public Bugzilla I could find at the time of the 2.16 release - and it took ages. I checked their version and level of vulnerability, and then mailed all the admins. But your idea is good, and might prevent these problems in future. Review of the patch: "...you have a serious security problem" is alarmist and non-explanatory. How about "If you see... below, your webserver is not set up to restrict important files from public access. This is a security risk. Please see the Bugzilla Guide section X.X for more details." The file should be a PNG (because it contains large areas of block colour) and not a JPG. That will make it look nicer. Also, it would be good if it didn't contain English text. "If you see a red rectange below..." - this would mean we could use a 1x1 pixel red PNG, and just use <img width="300" height="50"> to stretch it. I'm not convinced that sanitycheck.cgi is the best place for this - I'm sure many admins never run it. Can it go on editparams.cgi? Gerv
|
||
Comment 7•16 years ago
|
||
I really don't think that we want this. For a start, creating the .htaccess is optional anyway - its a localconfig param. Maybe we should print a Big Bad Warning if the user chooses not to access it? More importantly, we don't ship with a data/ directory, so you can't put the .jpg there... What we really should do is move data/ and localconfig out of the web tree. Theres a bug on doing that, somewhere. That would fix this issue permenantly. (We do this by 'moving' localconfig to data/, and then having a new config file which just contains the path to the data dir. People who need to know about that dir get it from Bugzilla::Config) Theres also a second issue, in that changes to .htaccess in checksetup aren't progogated on subsequent runs. We should probably fix that, somehow
|
|
(Assignee) | |
Comment 8•16 years ago
|
||
Well, 2 of the 6 sites I spot-checked (just by starting from google) has this issue. Both administrators were very happy to be notified, so I stay out of prison :-) [more to the point, I don't fetch any of the touchy files when I check these] So, either I am spectacularly lucky at finding these, or a substantial number of sites out there are at risk. Something needs to be done. I am open to suggestions.
|
|
(Assignee) | |
Updated•15 years ago
|
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
|
|
||
Comment 9•15 years ago
|
||
Bugzilla 2.20 feature set is now frozen as of 15 Sept 2004. Anything flagged enhancement that hasn't already landed is being pushed out. If this bug is otherwise ready to land, we'll handle it on a case-by-case basis, please set the blocking2.20 flag to '?' if you think it qualifies.
Target Milestone: Bugzilla 2.20 → Bugzilla 2.22
|
||
Comment 10•14 years ago
|
||
This would be more appropriate for checksetup than sanitycheck, sanitycheck is unlikely to improve the situation.
|
|
(Assignee) | |
Comment 11•14 years ago
|
||
However, sanitycheck gets the opportunity to actually run the webserver rather than trying to out-guess it.
|
||
Comment 12•14 years ago
|
||
testserver.pl does such a check by trying to download localconfig. Do we want to include it in checksetup.pl?
|
|
(Assignee) | |
Comment 13•14 years ago
|
||
No longer needed since testserver has a test for this.
Status: ASSIGNED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → WORKSFORME
|
||
Updated•14 years ago
|
Target Milestone: Bugzilla 2.22 → ---
|
||
Updated•6 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•