Sanitycheck should confirm that .htaccess files are working

RESOLVED WORKSFORME

Status

()

Bugzilla
Administration
P3
enhancement
RESOLVED WORKSFORME
16 years ago
5 years ago

People

(Reporter: Joel Peshkin, Assigned: Joel Peshkin)

Tracking

Details

Attachments

(2 attachments)

(Assignee)

Description

16 years ago
It is a very easy mistake to forget the AllowOverride directive in the Apache
configuration file and leave a site rather wide-open.  Unless the sysadmin is
much more diligent than most, this would go undetected.  This is just itching to
surface at some inopportune time and give Bugzilla a big black-eye.

It would be fairly simple to include a check in sanitycheck that would create an
IFRAME or an <img> link in which a file forbidden by .htaccess was referenced. 
If the webserver retrieved the file, the contents of the file should indicate ...
 "WARNING - WEBSERVER SECURITY PROBLEM"
while an inaccessible file would show either and access denied or a broken image
link.
(Assignee)

Comment 1

16 years ago
Created attachment 105290 [details]
new file data/warning.jpg
(Assignee)

Comment 2

16 years ago
Created attachment 105291 [details] [diff] [review]
Patch to sanitycheck.cgi


Adds final check to sanitycheck indicating if .htaccess file is being ignored
(Assignee)

Comment 3

16 years ago
... which means I guess I own it...
Assignee: justdave → bugreport
Priority: -- → P3
Target Milestone: --- → Bugzilla 2.18
(Assignee)

Comment 4

16 years ago

Interesting:  Did a spot check of a few known bugzilla sites and some had this
messed up.  

I think this may warrent a crawler that does the following....
for each bugzilla install on list (like in Google)...
    fetch ...
http://bugzilla.location/UPGRADING?What_follows_is_a_courtesy_security_check_see_http://bugzilla.mozilla.org/show_bug.cgi?id=178593
    Then fetch ...
http://bugzilla.location/data/params?This_is_a_courtesy_security_check_see_http://bugzilla.mozilla.org/show_bug.cgi?id=178593
    And email the maintainer (if the param is set) if the webserver is badly
enough misconfigured to return data/params.

Status: NEW → ASSIGNED
I think Gerv has already done that at least once....
I've already done this once for every public Bugzilla I could find at the time
of the 2.16 release - and it took ages. I checked their version and level of
vulnerability, and then mailed all the admins. But your idea is good, and might
prevent these problems in future. Review of the patch:

"...you have a serious security problem" is alarmist and non-explanatory. How
about "If you see... below, your webserver is not set up to restrict important
files from public access. This is a security risk. Please see the Bugzilla Guide
section X.X for more details." 

The file should be a PNG (because it contains large areas of block colour) and
not a JPG. That will make it look nicer. Also, it would be good if it didn't
contain English text. "If you see a red rectange below..." - this would mean we
could use a 1x1 pixel red PNG, and just use <img width="300" height="50"> to
stretch it.

I'm not convinced that sanitycheck.cgi is the best place for this - I'm sure
many admins never run it. Can it go on editparams.cgi?

Gerv
I really don't think that we want this.

For a start, creating the .htaccess is optional anyway - its a localconfig
param. Maybe we should print a Big Bad Warning if the user chooses not to access it?

More importantly, we don't ship with a data/ directory, so you can't put the
.jpg there...

What we really should do is move data/ and localconfig out of the web tree.
Theres a bug on doing that, somewhere. That would fix this issue permenantly.
(We do this by 'moving' localconfig to data/, and then having a new config file
which just contains the path to the data dir. People who need to know about that
dir get it from Bugzilla::Config)

Theres also a second issue, in that changes to .htaccess in checksetup aren't
progogated on subsequent runs. We should probably fix that, somehow
(Assignee)

Comment 8

16 years ago
Well, 2 of the 6 sites I spot-checked (just by starting from google) has this
issue.  Both administrators were very happy to be notified, so I stay out of
prison :-)  [more to the point, I don't fetch any of the touchy files when I
check these]

So, either I am spectacularly lucky at finding these, or a substantial number of
sites out there are at risk.  Something needs to be done.  I am open to suggestions.

(Assignee)

Updated

14 years ago
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
(Assignee)

Updated

14 years ago
Blocks: 251619
Bugzilla 2.20 feature set is now frozen as of 15 Sept 2004.  Anything flagged
enhancement that hasn't already landed is being pushed out.  If this bug is
otherwise ready to land, we'll handle it on a case-by-case basis, please set the
blocking2.20 flag to '?' if you think it qualifies.
Target Milestone: Bugzilla 2.20 → Bugzilla 2.22
This would be more appropriate for checksetup than sanitycheck, sanitycheck is
unlikely to improve the situation.
(Assignee)

Comment 11

13 years ago
However, sanitycheck gets the opportunity to actually run the webserver rather
than trying to out-guess it.
testserver.pl does such a check by trying to download localconfig. Do we want to
include it in checksetup.pl?
(Assignee)

Comment 13

13 years ago
No longer needed since testserver has a test for this.
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → WORKSFORME

Updated

13 years ago
Target Milestone: Bugzilla 2.22 → ---
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.