[horde] Possible security hole?
C. William Graham
grahamcw at hurleybulldogs.com
Wed May 13 00:31:31 UTC 2009
This scan has been around for a long time -
The README access isn't a bug(my opinion) - more a configuration thing.
Use this as a start
http://wiki.horde.org/SecurityTips
add README and another files your feel should not be readable like
this - understanding that this will give the requester a security
error instead of a not found - which says it exists but prohibits
them from seeing it.
<LocationMatch "^/horde/(.*/)?(README|test.php)">
order deny,allow
deny from all
allow from localhost
</LocationMatch>
A couple of other things helps with these scans
Don't use horde or a deritive or horde and it's release as your subdirectory
Dead end people that are accessing your site buy IP by building a
separate virtual npst for people accessing your site by ip
<VirtualHost *:80>
DocumentRoot /var/www-ip/html/
ServerName xxx.xxx.xxx.xxx (Your ip address)
ErrorLog logs/ip-error_log
CustomLog logs/ip-access_log common
</VirtualHost>
Then put a blank page as your index.html in /var/www-ip/html
then there isn't anything for them to get to when they come to your
site doing an ip scan
Hope this helps
Bill
--
Bill Graham
Systems Administrator
Hurley Public Schools
Hurley,SD 57036
USA
http://www.hurleybulldogs.com
grahamcw at hurleybulldogs.com
Quoting Nels Lindquist <nlindq at maei.ca>:
> Hi, folks.
>
> I did a quick search on my list archive and didn't find mention of this,
> so my apologies in advance if I missed a thread.
>
> I received a logwatch e-mail this morning from one of our test servers
> which does NOT have any Horde applications installed, obviously probing
> for Horde:
>
> Requests with error response codes
> 404 Not Found
> //README: 1 Time(s)
> //user/templates/footer.tpl: 1 Time(s)
> /email//README: 1 Time(s)
> /horde-3.0.5//README: 1 Time(s)
> /horde-3.0.6//README: 1 Time(s)
> /horde-3.0.7//README: 1 Time(s)
> /horde-3.0.8//README: 1 Time(s)
> /horde-3.0.9//README: 1 Time(s)
> /horde//README: 1 Time(s)
> /horde2//README: 1 Time(s)
> /horde3//README: 1 Time(s)
> /mail//README: 1 Time(s)
> /mails//README: 1 Time(s)
> /mailz//README: 1 Time(s)
> /newmail//README: 1 Time(s)
> /webmail//README: 1 Time(s)
>
>
> Out of curiosity, I tried loading the README file on our active Horde
> installations, and sure enough, it popped right up.
>
> At the very least, this is an information leak (the revision string is
> right at the top of the file) but I'm concerned that if they're actively
> probing for Horde, there's a specific hole they're looking for.
>
> I intend to immediately disable access to the README files, but I
> thought I should send you a heads-up.
>
> Nels Lindquist
> --
> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
----------------------------------------------------------------
This electronic mail sent from Hurley Public Schools -
Hurley, South Dakota http://www.hurleybulldogs.com
NOTICE: This E-mail (including attachments) is confidential and may be
legally privileged. If you are not the intended recipient, you are
hereby notified that any retention, dissemination, distribution, or
copying of this communication is strictly prohibited. Please reply to
the sender that you have received the message in error, then delete
it. Thank you.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 1375 bytes
Desc: PGP Public Key
URL: <http://lists.horde.org/archives/horde/attachments/20090512/22ecc042/attachment-0001.bin>
More information about the horde
mailing list