[users@httpd] OWASP Apache 2.4 Security Cheatsheet Feedback

2019-09-03 Thread Dan Ehrlich 
All:

I am trying to create an Apache2 security cheatsheet for OWASP.

I am using a monolithic Apache2.conf file (purely for presentation
purposes) to show every single security config I can think of that can be
used.

Any suggestions are welcome. I'm sure the document is missing things / has
errors currently.

Cheatsheet:
https://github.com/danehrlich1/CheatSheetSeries/blob/CSS-05/cheatsheets/Apache_HTTPD_Cheatsheet.md

OWASP Pull Request: https://github.com/OWASP/CheatSheetSeries/pull/184


Best,

Dan Ehrlich

Re: [users@httpd] Re: CVE-2019-0211/0215/0217

2019-04-07 Thread Dan Ehrlich 
I’ve seen a few CVEs now that are low level but pretty much effect every 
version from 2.4.30ish and back. 

The default Apache versions in the Debian and Ubuntu repos are 2.4.25 and 
2.4.29 respectively.

QUESTIONS:
1. Anyway to move the versions up (assuming I didn’t miss something) ?
2. Happy to help / take on task if someone can point me in the right direction 


> On Apr 6, 2019, at 11:14 PM, Sunhux G  wrote:
> 
> Also, 
> can we safely say CVE-2019-0217 & CVE-2019-0215 affects "2.4.17 through 
> 2.4.38 with MPM event, worker or prefork" only (just like CVE-2019-0211)?
> 
> How do I check if we have "MPM event, worker or prefork" in our Apache?
> 
> 
>> On Sat, Apr 6, 2019 at 10:59 PM Sunhux G  wrote:
>> 
>> Are above CVEs affecting Apache httpd (ie web servers) 2.4.x  only 
>> & other lower versions (eg: our Solaris 10's  Apache/2.0.63) are not
>> affected?
>> 
>> Can point me to where to get the patches for RHEL7/RHEL6
>> in Red Hat support portal or anywhere else that's reliable??
>> 
>> Sun

Re: [users@httpd] How to fix HTTP 100-continue from client HTTP 417 error in Apache 2.4.10?

2019-02-05 Thread Dan Ehrlich 
Looks like you just need to enable mod_headers 
(http://httpd.apache.org/docs/current/mod/mod_headers.html) and then add the 
below text that they mention in the Stack Over question?

You might need to run “a2enmod headers” from terminal once to get it loaded 
into Apache HTTPD forever, but that’s it.

Btw put that text (assuming you’re fine running it for every website on that 
server) in either /etc/apache2/apache2.conf. Might be /etc/apache2/httpd.conf 
can’t remember 

Does this help?


“
 
RequestHeader unset Expect early 

“


> On Feb 5, 2019, at 11:26 PM, Amey Abhyankar  wrote:
> 
> Hello,
> 
> I am using Apache 2.4.10 server on Debian 8.11.
> 
> I am having following issue = Request sender is sending Expect:
> 100-Continue" in header.
> 
> Reference URL suggesting the fix =
> https://stackoverflow.com/questions/3889574/apache-and-mod-proxy-not-handling-http-100-continue-from-client-http-417
> 
> How to fix this issue? Thanks.
> 
> Regards,
> Amey.
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>

Re: [users@httpd] 403 Forbidden Error on Apache 2.4

2019-02-05 Thread Dan Ehrlich 
I think it’s the L in your rewrite rule.

It stands for Last and means it won’t process any further rules. Remove it and 
it should (maybe) work.

Someone else feel free to correct me if I’m wrong.


> On Feb 5, 2019, at 8:55 PM, Jayaram Ponnusamy  
> wrote:
> 
> Dear All,
> Our Site is Public Site and there is no restriction @ any level. We are using 
> apache on top of Java based CMS (Tomcat Server).
> Recently we upgraded Apache from 2.2.21 to 2.4.25. Where ever Order 
> allow,deny & Allow from all coming there we changed it to Require all granted 
> but root page only loading without any issue. We are getting 403 Forbidden 
> Message on Rest of the Pages. Kindly please help how to enable permission to 
> all folder and its subfolders in 2.4.25.
> 
> For Example:
> Working:
> http://domain.com/sites
> 
> Notworking:
> http://domain.com/newsroom
> http://domain.com/events
> http://domain.com/about
> & Other pages
> 
> RewriteEngine on
> RewriteRule ^/+$ /sites/  [R,L]
>   DocumentRoot "/apps/apache2.4"
> 
> Options FollowSymLinks
> AllowOverride None
>   Require all granted
>

Re: [users@httpd] Redirection to https only for the top-level page

2019-02-01 Thread Dan Ehrlich 
You’ll want to look into HSTS

https://https.cio.gov/hsts/

Basically it will let the user’s browser know “in advance” to always connect 
via HTTPS, eliminating the vulnerability of first connecting to a site over 
HTTP before being redirected.


> On Feb 1, 2019, at 8:09 AM, R. Diez  wrote:
> 
> Hi all:
> 
> I have very little Apache experience. I just occasionally help with a couple 
> of websites on 2 different hosting companies of the "inexpensive" variety. I 
> want to automatically redirect from somesite.com to www.somesite.com, and 
> from http to https.
> 
> With difficulty, I have managed to put together (by the copy and paste 
> method) the following .htaccess file, which seems to be working fine:
> 
> RewriteEngine On
> 
> # Redirect from non-www to www, and at the same time to https .
> RewriteCond %{HTTP_HOST}  !^www\.  [nocase]
> RewriteRule ^  https://www.%{HTTP_HOST}%{REQUEST_URI}  
> [last,redirect=301,noescape]
> 
> # Redirect from all other "http://www.blahblah"; auf https .
> RewriteCond %{HTTP:X-Forwarded-Proto} =http [ornext]
> RewriteCond %{HTTP:X-Forwarded-Proto} =""
> RewriteCond %{HTTPS} !=on
> RewriteRule ^  https://%{HTTP_HOST}%{REQUEST_URI}  
> [last,redirect=301,noescape]
> 
> It is even generic enough to be used unchanged in both websites.
> 
> However, I have heard that it is a bad idea to redirect all http requests to 
> https like that, because you are actually bypasssing encryption. After all, 
> the first http request gets sent unencrypted, and the client will never 
> notice. It is best to let all "deep" http links fail, so that the developers 
> notice that they are not sending the users to encrypted pages. Only a few, 
> selected http pages should still automatically redirect to https.
> 
> In my case, that would be just these 2:
> 
> http://www.somesite.com -> https://www.somesite.com
> http://somesite.com -> https://www.somesite.com
> 
> All other http addresses should fail with 404.
> 
> http://www.somesite.com/xxx -> 404 error
> http://somesite.com/xxx -> 404 error
> 
> All https requests without www should still be automatically redirected:
> 
> https://somesite.com -> https://www.somesite.com
> https://somesite.com/xxx -> https://www.somesite.com/xxx
> 
> I have searched around but found no concrete example for this particular 
> scenario, which I find surprising, for I thought that this would be the 
> normal case for most simple websites.
> 
> I have no practice dealing with these rules. I fear that any little mistake 
> can have dire consequences to the website. Or severely impact performance.
> 
> Could someone with more experience tell me how to write such redirection 
> rules? This is something that will probably benefit many other users too.
> 
> Many thanks in advance,
>  rdiez
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>

[users@httpd] Apache Fake Story?

2019-01-22 Thread Dan Ehrlich 
Is this true?

https://github.com/hannob/apache-uaf/blob/master/README.md

Was this security vulnerability really treated with such disregard by Apache 
HTTPD devs? 

I am aware the work that they do is free, but I contribute to plenty of open 
source for free and take the responsibility very seriously. 

This is extremely disturbing and we should all be concerned. 

If there was an oversight I made or this story changed please respond and 
correct me and I apologize in advance.

Re: [users@httpd] ErrorDocument with URL containing URL encoded chars

2019-01-09 Thread Dan Ehrlich 
Not surprising that you got different behavior after removing a value from
.htaccess and placing it elsewhere.

No one knows exactly / 100% how .htaccess works. The file only exists
because they wanted to maintain backwards compatibility with the web server
that used to come with Mosaic at University of Illinois in the mid-90's.
That server, called NCSA, had a requirement for directory level config
files.

Funny enough this is where the name Apache comes from...it was basically a
collection of patches / a very "patchy" together web server

Sorry I couldn't be of more help:

https://en.wikipedia.org/wiki/NCSA_HTTPd

https://www.askapache.com/htaccess/



On Wed, Jan 9, 2019 at 2:48 AM Hajo Locke  wrote:

> Hello List,
>
> have a interesting problem here.
> I have a .htaccess with Errordocument containing Text to be displayed:
>
> ErrorDocument 404 "not existing"
>
> This works with standard URLs like http://example.com/fubar.htm
> I get response 404 and in Browser displayed text is correct.
>
> Now i try URLs like this: http://example.com/%2ffubar
> The URL encoded part of URL seems to be a problem for errordocument. I
> still get the 404 respone, but displayed text has changed.
> In place of "not existing" apache answers with "The requested URL
> //fubar was not found on this server."
> So apache is decoding $2f to / and use decoded URL for response-text in
> place of "not existing"
>
> i get a change of behaviour if i put the ErrorDocument directive direct
> into Vhost instead of .htaccess.
> in this case the ErrorDocument is working as expected also with URLs
> with url encoded Parts.
>
> In Apache 2.2 and 2.4  is same behaviour.
> What is problem here and how to solve this?
>
> Thanks,
> Hajo
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>