Apache security followup

Posted At : November 11, 2006 1:34 AM | Posted By : Lucas
Related Categories: Apache

If you don't want Apache telling the world about your config on its default error pages (you don't use the default error pages right?), you can add these two lines to your config

### hide stuff from the world
ServerTokens ProductOnly
ServerSignature Off

Comments (2) | Print | del.icio.us | Linking Blogs | 2110 Views

Apache and the ColdFusion Administrator

Posted At : November 10, 2006 8:10 PM | Posted By : Lucas
Related Categories: Apache, ColdFusion

We have been doing a bit on an audit of things over the last few days and we came across something that shocked us. Somewhere between CF and Apache, our ColdFusion administrator was accessible on our servers.

Now we all know that you should never have your CF admin pages visible to the general internet, you should always have them tucked away. We did! Or should I say, we thought we did. Turns out that you could still browse to the right URL and CF would render the admin for you.

There were no mappings or aliases, Apache would just see the .cfm pass the request to CF and it would just render it. Bit of a pain but nothing a quick change to the apache config wouldn't fix.

<Location "/CFIDE/Administrator)>
Order Allow,Deny
Deny from all
AllowOverride None
</Location>
That should to it right? we no, actually... it doesn't. It turns out that our silly case insensitive OS was still letting it through. A bit of hunting and a bit of playing with RegEx brought us this little gem.

<LocationMatch "((?i)/cfide/administrator)>
Order Allow,Deny
Deny from all
AllowOverride None
</LocationMatch>
It looks very similar to the first one except for the regular expression that tells apache to ignore case and match this string.

Now, our apache server returns a nice big fat...

Forbidden

You don't have permission to access /cfide/administrator on this server.

now doesn't that look better?

Comments (4) | Print | del.icio.us | Linking Blogs | 2908 Views