[Gmail-Lounge] Re: php questions

On 12/3/05, Allen Day <so.orange@gmail.com> wrote:
>
> Kass Lloyd <kasslloyd@gmail.com> wrote:
> >What I mean is, if your not the only person useing that machine and
> >they allow broad sweeping access to features like that, then the data
> >on your account isn't secure from other accounts on the system, if
> >that matters to you or not.
>
> I don't think you really have a very broad working knowledge of web server
> administration -- these features, properly configured, are not nearly so
> "sweeping" and insecure as you're trying to paint them. The neither
> mod_rewrite nor .htaccess have access to directories higher than them in
> the heirarchy of domains/folders -- that said, unless my user account is
> installed under another user's account (which isn't the case) -- I'm afraid
> I have all these features without the imposition of huge security holes.

Theres a couple security risks these pose:

1. mod_rewrite allows you to hide scripts as images or other file
types. This is useful for people who want to trick browsers that
they're downloading an image, but its dynamic, or whatever. But it can
also be used to trick other websites that hot-link the image, allowing
the script to collect data on people who browse the other site, and
also perform things like cross-site scripting exploits on browsers
(capture remote cookies by hotlinking an image type thing). With
mod_rewrite its impossible for a web site admin to know if a hotlinked
image is a script or really an image. So its not poseing a security
risk per say to the server allowing mod_rewrite, it poses remote
security risks. And although anyone can run a web server on their
cable box, many web hosting isps dont wan't to venture down that
slippery road.

2. .htaccess if not restricted can modify lots of apache variables.
One of them being what scripts executed and other things like cgi-bin
execution and other things like that. MANY web hosts do not allow you
to change those kind of settings, since they can/do pose security
risks, however remote they are, they don't want them. For the most
part htaccess is allowed only to restrict access to directories and
add passwords to directoires, not much beyond that.

3. You are correct that a very well setup and security tight box, that
these features pose little or no threat. But most people don't have
the time to keep up with every little security trend and bug and may
not know every little trick to secure and restrict these features. So
they just blindly disable them. This is pretty common across the
industry, for large companies that is. Small companies probably err on
ignorance when they have these enabled.

4. Directory security, many web servers are setup so that any user can
browse and access basicly any file on the system. Like back track
directories and read all kinds of stuff, includeing other websites
directories, password protected or not, and possibly even access and
download mail and mysql databases. These are big security risks and
although a qualified system admin can restrict a box so that this
can't happen, not every web host company has such people on staff, or
if they do they have thousands of machines and its just easier to do
broad sweeping restrictions instead of configureing each machine.