apache2: insecure default configuration [LWN.net]

Package(s):

apache2

CVE #(s):

CVE-2012-0216

Created:

April 16, 2012

Updated:

April 19, 2012

Description:

From the Debian advisory:

Niels Heinen noticed a security issue with the default Apache configuration on Debian if certain scripting modules like mod_php or mod_rivet are installed. The problem arises because the directory /usr/share/doc, which is mapped to the URL /doc, may contain example scripts that can be executed by requests to this URL. Although access to the URL /doc is restricted to connections from localhost, this still creates security issues in two specific configurations:

- - If some front-end server on the same host forwards connections to an apache2 backend server on the localhost address, or

- - if the machine running apache2 is also used for web browsing.

Systems not meeting one of these two conditions are not known to be vulnerable. The actual security impact depends on which packages (and accordingly which example scripts) are installed on the system. Possible issues include cross site scripting, code execution, or leakage of sensitive data.

Alerts:

Debian

DSA-2452-1

2012-04-15

(Log in to post comments)

Scripts confined to explicit directory

Posted Apr 19, 2012 9:43 UTC (Thu) by epa (subscriber, #39769) [Link]

Can mod_php be put back in its cage? If you want to execute scripts in a directory then add that directory explicitly to httpd.conf. The web server has no business running files from in arbitrary directories as scripts just because their filename matches a certain pattern.

Having once been pwned by an unfortunate interaction between Twiki and PHP, (where Twiki allows file attachments which are then served directly by the webserver, so somebody can upload a file with a .php extension) I always disable mod_php as the first thing when configuring a server. If it were a bit better behaved by default, admins would be more likely to enable it.