Closed
Bug 178593
Opened 23 years ago
Closed 20 years ago
Sanitycheck should confirm that .htaccess files are working
Categories
(Bugzilla :: Administration, task, P3)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: bugreport, Assigned: bugreport)
References
Details
Attachments
(2 files)
2.41 KB,
image/jpeg
|
Details | |
730 bytes,
patch
|
Details | Diff | Splinter Review |
It is a very easy mistake to forget the AllowOverride directive in the Apache
configuration file and leave a site rather wide-open. Unless the sysadmin is
much more diligent than most, this would go undetected. This is just itching to
surface at some inopportune time and give Bugzilla a big black-eye.
It would be fairly simple to include a check in sanitycheck that would create an
IFRAME or an <img> link in which a file forbidden by .htaccess was referenced.
If the webserver retrieved the file, the contents of the file should indicate ...
"WARNING - WEBSERVER SECURITY PROBLEM"
while an inaccessible file would show either and access denied or a broken image
link.
Assignee | ||
Comment 1•23 years ago
|
||
Assignee | ||
Comment 2•23 years ago
|
||
Adds final check to sanitycheck indicating if .htaccess file is being ignored
Assignee | ||
Comment 3•23 years ago
|
||
... which means I guess I own it...
Assignee: justdave → bugreport
Priority: -- → P3
Target Milestone: --- → Bugzilla 2.18
Assignee | ||
Comment 4•23 years ago
|
||
Interesting: Did a spot check of a few known bugzilla sites and some had this
messed up.
I think this may warrent a crawler that does the following....
for each bugzilla install on list (like in Google)...
fetch ...
http://bugzilla.location/UPGRADING?What_follows_is_a_courtesy_security_check_see_http://bugzilla.mozilla.org/show_bug.cgi?id=178593
Then fetch ...
http://bugzilla.location/data/params?This_is_a_courtesy_security_check_see_http://bugzilla.mozilla.org/show_bug.cgi?id=178593
And email the maintainer (if the param is set) if the webserver is badly
enough misconfigured to return data/params.
Status: NEW → ASSIGNED
Comment 5•23 years ago
|
||
I think Gerv has already done that at least once....
Comment 6•23 years ago
|
||
I've already done this once for every public Bugzilla I could find at the time
of the 2.16 release - and it took ages. I checked their version and level of
vulnerability, and then mailed all the admins. But your idea is good, and might
prevent these problems in future. Review of the patch:
"...you have a serious security problem" is alarmist and non-explanatory. How
about "If you see... below, your webserver is not set up to restrict important
files from public access. This is a security risk. Please see the Bugzilla Guide
section X.X for more details."
The file should be a PNG (because it contains large areas of block colour) and
not a JPG. That will make it look nicer. Also, it would be good if it didn't
contain English text. "If you see a red rectange below..." - this would mean we
could use a 1x1 pixel red PNG, and just use <img width="300" height="50"> to
stretch it.
I'm not convinced that sanitycheck.cgi is the best place for this - I'm sure
many admins never run it. Can it go on editparams.cgi?
Gerv
Comment 7•23 years ago
|
||
I really don't think that we want this.
For a start, creating the .htaccess is optional anyway - its a localconfig
param. Maybe we should print a Big Bad Warning if the user chooses not to access it?
More importantly, we don't ship with a data/ directory, so you can't put the
.jpg there...
What we really should do is move data/ and localconfig out of the web tree.
Theres a bug on doing that, somewhere. That would fix this issue permenantly.
(We do this by 'moving' localconfig to data/, and then having a new config file
which just contains the path to the data dir. People who need to know about that
dir get it from Bugzilla::Config)
Theres also a second issue, in that changes to .htaccess in checksetup aren't
progogated on subsequent runs. We should probably fix that, somehow
Assignee | ||
Comment 8•23 years ago
|
||
Well, 2 of the 6 sites I spot-checked (just by starting from google) has this
issue. Both administrators were very happy to be notified, so I stay out of
prison :-) [more to the point, I don't fetch any of the touchy files when I
check these]
So, either I am spectacularly lucky at finding these, or a substantial number of
sites out there are at risk. Something needs to be done. I am open to suggestions.
Assignee | ||
Updated•21 years ago
|
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
Comment 9•21 years ago
|
||
Bugzilla 2.20 feature set is now frozen as of 15 Sept 2004. Anything flagged
enhancement that hasn't already landed is being pushed out. If this bug is
otherwise ready to land, we'll handle it on a case-by-case basis, please set the
blocking2.20 flag to '?' if you think it qualifies.
Target Milestone: Bugzilla 2.20 → Bugzilla 2.22
Comment 10•21 years ago
|
||
This would be more appropriate for checksetup than sanitycheck, sanitycheck is
unlikely to improve the situation.
Assignee | ||
Comment 11•21 years ago
|
||
However, sanitycheck gets the opportunity to actually run the webserver rather
than trying to out-guess it.
Comment 12•21 years ago
|
||
testserver.pl does such a check by trying to download localconfig. Do we want to
include it in checksetup.pl?
Assignee | ||
Comment 13•20 years ago
|
||
No longer needed since testserver has a test for this.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
![]() |
||
Updated•20 years ago
|
Target Milestone: Bugzilla 2.22 → ---
Updated•13 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•