|
Brought to you by:
Suppliers of:
|
|
|
| |
We have already seen the security problems (or potential problems) in Apache on MAC associated to the case-insensitivity of HFS+. By exploiting the case-insensitivity of HFS+, an attacker can evade Apache's access controls.
Using mod_hfs (which takes care of case-insensitivity in directory names) and using <FilesMatch> (with well-chosen regular expressions) instead of <Files> directives (to take care of case-insensitivity in filenames), we can "cure" the case-insensitivity problem and restore Apache's access controls.
However, there is another problem lurking. A vulnerability has been found that allows remote attackers to list the content of the directory and view the index file created for those files by requesting an a special file that automatically created by Mac OS X. |
| |
Credit:
The information has been provided by Jacques Distler, Eric Bennett, and Paul Lieberman.
|
| |
You typically do not want people to be able to obtain a list of files or the index content of them (content of files that they might even not have access to, due to security restrictions) in your web directory. To allow them to obtain such a list for example, you explicitly have to:
1) NOT have an index.html file in the directory
2) Include an Options Indexes directive among the access controls for that directory
The Finder program creates an invisible set of files, ".DS_Store", ".FBCIndex", and ".FBCSemaphoreFile" (Under the hidden directory, .FBCLockFolder) in each directory that contains sensitive information about that directory.
Therefore, if for example an administrator has EVER viewed a web directory in the Finder, an attacker can just retrieve:
http://your.mac.example.com/some_directory/.dS_store
To learn what files are in that directory.
Or
http://your.mac.example.com/some_directory/.FBCIndex
To learn what content those files have in that directory (even if he does not have enough privileges to directly view them).
Solution:
The solution is, again, to use a <FilesMatch> directive in httpd.conf to forbid retrieval of this file:
# The Finder creates an invisible .DS_Store file in each directory.
# For 'no-index' access controls to be effective, we had better forbid
# retrieval of that file as well. Note that we have to protect
# against the same case-insensitivity bug as above.
#
<FilesMatch "^\.">
Order allow,deny
Deny from all
</FilesMatch>
This would block access to any hidden file (a file with the prefix of '.'). And, of course, you need to
(NOTE: This solution would block any access while in directory listing for directories containing '.', i.e. '..', parent directory)
# sudo apachectl restart
When you are done.
|
|
|
|
|
