Browse » » » Apache and Php Vulnerabilities

Tuesday, May 23, 2017

Apache and Php Vulnerabilities

Posted by at 7:43 AM

Apache and Php Vulnerabilities


1. Indexable Web Directories

Ensure that directory indexing is not enabled on this web server.

How to disable directory browsing using .htaccess � Apache Web Server

Apache web server allow directory browsing by default. It�s always good to disable directory browsing in security aspect. To disable directory browsing in apache web server you need to edit the httpd.conf or .htaccess


Disable directory browsing using .htaccess:-� Open your .htacces file
� Look for Options Indexes
� If Options Indexes exists modify it to Options -Indexes or else add Options -Indexes as a new line
� The directory browsing feature should be disable by now
Disable directory browsing using httpd.conf:-
� Open your httpd.conf, normally it�s located at /usr/local/apache/conf or /etc/httpd.conf
� Go to your own Virtual Host settings and look for �Options Indexes�
� Change the Indexes to -Indexes if Option Indexes exists or else add the Options -Indexes line
� Restart your apache web server.
� The directory browsing feature should be disable by now

http://www.techiecorner.com/106/how-to-disable-directory-browsing-using-htaccess-apache-web-server/

2. HTTP TRACE

Disable the TRACE method on your Internet-accessible web servers. Newer Apache servers include a "TraceEnable" setting in the httpd.conf file, while older versions of Apache can use mod_rewrite to block these requests. In a Microsoft environment, the "EnableTraceMethod" key in the Registry (HKLMSYSTEMCurrentControlSetServicesW3SVCParameters) should be set to 0, or the URLScan tool may be used to reject TRACE requests.

Apache Tips: Disable the HTTP TRACE method
Applies: apache 1.3.x / apache 2.0.x
Required apache module: -
Scope: global server configuration
Type: security

Description: How to disable the HTTP TRACE method on recent apache versions.

Most vulnerability scanners (like the popular nessus, but commercial ones also) will complain (normally as a low thread or warning level) about TRACE method being enabled on the web server tested.

Normally you will have this enabled by default, but if you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for �TRACE / HTTP/1.0� if you get a positive reply it means TRACE is enabled on your system. The output of a server with TRACE enabled will look like:

telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is ^].
TRACE / HTTP/1.0
Host: foo
Any text entered here will be echoed back in the response <- ENTER twice to finish

HTTP/1.1 200 OK
Date: Sat, 20 Oct 2007 20:39:36 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: foo
Any text entered here will be echoed back in the response

Connection closed by foreign host.Traditionally experts will suggest to disable this using some rewrite rules like:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
(this needs to be added somewhere in your main apache config file outside of any vhost or directory config).

Still this has the disadvantage that you need to have mod_rewrite enabled on the server just to mention one. But for apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 (or newer) for apache2 this can be done very easily because there is a new apache variable that controls if TRACE method is enabled or not:

TraceEnable off
This needs to be added in the main server config and the default is enabled (on). TraceEnable off causes apache to return a 403 FORBIDDEN error to the client.

After setting this and reloading the apache config the same server as above shows:

telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is ^].
TRACE / HTTP/1.0
Host: foo
testing... <- ENTER twice

HTTP/1.1 403 Forbidden
Date: Sat, 20 Oct 2007 20:38:31 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Content-Length: 320
Connection: close
Content-Type: text/html; charset=iso-8859-1



403 Forbidden

Forbidden


You dont have permission to access /
on this server.



Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07) Server at foo Port 80


Connection closed by foreign host.

Enabling mod_write


Verify that the following directive is uncommented:

LoadModule rewrite_module modules/mod_rewrite.so

(For IBM HTTP Server 2.0.42 and all later releases.)

http://publib.boulder.ibm.com/httpserv/ihsdiag/rewrite.html#enabling

3. PHP expose_php Version Disclosure

The purpose of expose_php is merely to allow for the identification that PHP is running on the server. It is recommended that this be disabled on production hosts. Set the value for expose_php to Off within the PHP configuration file php.ini to disable this behavior. A restart of the HTTP server may be necessary.
get
Labels: , , ,
 

Copyright © Video game tester Design by Free CSS Templates | Blogger Theme by BTDesigner | Powered by Blogger