Apache Security - Ivan Ristic [149]
Configure server software (web server, application server, etc.) such that it does not display verbose error messages to end users and instead logs them into a log file.
Instruct developers to do the same for the applications and have applications respond with HTTP status 500 whenever an error occurs.
Install custom error pages using the Apache ErrorDocument directive.
If all else fails (you have to live with an application that behaves incorrectly and you cannot change it), a workaround is possible with Apache 2 and mod_security. Using output filtering (described in Chapter 12), error messages can be detected and replaced with less dangerous content before the response is delivered to the client.
Debug Messages
Programmers often need a lot of information from an application to troubleshoot problems. This information is often presented at the bottom of each page when the application is being executed in debug mode. The information displayed includes:
Application configuration parameters (which may include passwords)
System environment variables
Request details (IP addresses, headers, request parameters)
Information that resulted from processing the request, such as script variables, or SQL queries
Various log messages
The effect of all this being disclosed to someone other than a developer can be devastating. The key question is, how is an application getting into debug mode?
Special request parameters
Programmers often use special request parameters, which work across the application. When such a method becomes known (and it often does) anyone appending the parameter (for example debug=1) to a URL can change into the debug mode.
Special request parameters with passwords
A slightly better approach is to use a password to protect the debug mode. Although better, chances are programmers will use a default password that does not change across application installations.
Automatic debug mode based on IP address
When a programming team sits behind a fixed set of IP addresses, they often configure the application to display debugging information automatically, upon detecting a "trusted" visitor. This approach is common for internal teams developing custom applications.
Session-based debug mode
One of the safer approaches is to have debug mode as one of the application privileges and assign the privilege to certain accounts. This approach represents a good compromise and delegates debug mode authorization to central authorization code, where such a decision belongs.
My recommendation is to have the debug mode turned off completely for production systems (and when I say turned off, I mean commented out of the source code).
Alternatively, a special request parameter (password-protected) can be used as an indicator that debug mode is needed, but the information would be dumped to a place (such as a log file) where only a developer can access it.
File Disclosure
File disclosure refers to the case when someone manages to download a file that would otherwise remain hidden or require special authorization.
Path Traversal
Path traversal occurs when directory backreferences are used in a path to gain access to the parent folder of a subfolder. If the software running on a server fails to resolve backreferences, it may also fail to detect an attempt to access files stored outside the web server tree. This flaw is known as path traversal or directory traversal. It can exist in a web server (though most web servers have fixed these problems) or in application code. Programmers often make this mistake.
If it is a web server flaw, an attacker only needs to ask for a file she knows is there:
http://www.example.com/../../etc/passwd
Even when she doesn't know where the document root is, she can simply increase the number of backreferences until she finds it.
* * *
Tip
Apache 1 will always respond with a 404 response code to any request that contains a URL-encoded slash (%2F) in