From: Damien R. <dam...@me...> - 2012-08-02 08:17:44
|
Hi, A user suggested [1] to add an index.html file in all folders to prevent directory browsing in the case it's authorized by the web server. Thouhts ? D [1] http://www.mantisbt.org/bugs/view.php?id=14535 |
From: Robert M. <rob...@gm...> - 2012-08-02 08:20:51
|
Shouldn't that already be handled at webserver level? On Thu, Aug 2, 2012 at 11:16 AM, Damien Regad <dam...@me...> wrote: > Hi, > > A user suggested [1] to add an index.html file in all folders to prevent > directory browsing in the case it's authorized by the web server. > > Thouhts ? > > D > > > [1] http://www.mantisbt.org/bugs/view.php?id=14535 > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mantisbt-dev mailing list > man...@li... > https://lists.sourceforge.net/lists/listinfo/mantisbt-dev -- Sent from my (old) computer |
From: Damien R. <dam...@me...> - 2012-08-02 08:27:31
|
On 02/08/12 10:20, Robert Munteanu wrote: > Shouldn't that already be handled at webserver level? That was my initial reaction as well, hence resolving the issue as "no change required", but following the guy's latest note, I had second thoughts and decided to seek advice/opinion of the rest of the team :) > On Thu, Aug 2, 2012 at 11:16 AM, Damien Regad > <dam...@me...> wrote: >> Hi, >> >> A user suggested [1] to add an index.html file in all folders to prevent >> directory browsing in the case it's authorized by the web server. >> >> Thouhts ? >> >> D >> >> >> [1] http://www.mantisbt.org/bugs/view.php?id=14535 |
From: Robert M. <rob...@gm...> - 2012-08-02 09:09:53
|
On Thu, Aug 2, 2012 at 11:25 AM, Damien Regad <dam...@me...> wrote: > On 02/08/12 10:20, Robert Munteanu wrote: >> Shouldn't that already be handled at webserver level? > > That was my initial reaction as well, hence resolving the issue as "no > change required", but following the guy's latest note, I had second > thoughts and decided to seek advice/opinion of the rest of the team :) What would we gain? It's not like we hide the files we have in the Mantis source tree. The only sensitive information probably is the uploads tree, but that should not be unprotected in the web root anyway. Robert > >> On Thu, Aug 2, 2012 at 11:16 AM, Damien Regad >> <dam...@me...> wrote: >>> Hi, >>> >>> A user suggested [1] to add an index.html file in all folders to prevent >>> directory browsing in the case it's authorized by the web server. >>> >>> Thouhts ? >>> >>> D >>> >>> >>> [1] http://www.mantisbt.org/bugs/view.php?id=14535 > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mantisbt-dev mailing list > man...@li... > https://lists.sourceforge.net/lists/listinfo/mantisbt-dev -- Sent from my (old) computer |
From: Roland B. <ro...@at...> - 2012-08-05 20:39:08
|
I found that we use empty index.html files for example in most of the library subdirectories to prevent browsing. Maybe using an empty index.html is not the clean way for it, but works with most of the web servers. For Apache you can create a .htacess file in root directory of MantisBT to prevent directory browsing also for all subdirectories. The following line is enough for it: Options -Indexes You can add this option also in the Apache configuration httpd.conf Robert Munteanu <rob...@gm...> hat am 2. August 2012 um 11:09 geschrieben:> On Thu, Aug 2, 2012 at 11:25 AM, Damien Regad > <dam...@me...> wrote: > > On 02/08/12 10:20, Robert Munteanu wrote: > >> Shouldn't that already be handled at webserver level? > > > > That was my initial reaction as well, hence resolving the issue as "no > > change required", but following the guy's latest note, I had second > > thoughts and decided to seek advice/opinion of the rest of the team :) > > What would we gain? It's not like we hide the files we have in the > Mantis source tree. The only sensitive information probably is the > uploads tree, but that should not be unprotected in the web root > anyway. > > Robert > > > > >> On Thu, Aug 2, 2012 at 11:16 AM, Damien Regad > >> <dam...@me...> wrote: > >>> Hi, > >>> > >>> A user suggested [1] to add an index.html file in all folders to prevent > >>> directory browsing in the case it's authorized by the web server. > >>> > >>> Thouhts ? > >>> > >>> D > >>> > >>> > >>> [1] http://www.mantisbt.org/bugs/view.php?id=14535 > > > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > mantisbt-dev mailing list > > man...@li... > > https://lists.sourceforge.net/lists/listinfo/mantisbt-dev > > > > -- > Sent from my (old) computer > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mantisbt-dev mailing list > man...@li... > https://lists.sourceforge.net/lists/listinfo/mantisbt-dev |
From: Damien R. <dam...@me...> - 2012-08-06 14:23:07
|
On 05/08/12 22:39, Roland Becker wrote: > I found that we use empty index.html files for example in most of the > library subdirectories to prevent browsing. Maybe using an empty > index.html is not the clean way for it, but works with most of the > web servers. I was thinking about doing that actually, hence my original message. > For Apache you can create a .htacess file in root directory of MantisBT > to prevent directory browsing also for all subdirectories. That's platform-dependant, so we can't use this as a global solution, and it goes back to what I wrote in the Issue, i.e. it's basically a web server config problem. At the end of the day, even with the index.html, users have an easy way of finding the names (and even contents) of the files as well as the directories structure so it maybe quite pointless to try and hide them (I guess that's what rombert meant by > Robert Munteanu <rob...@gm...> hat am 2. August 2012 um 11:09 >> What would we gain? It's not like we hide the files we have in the >> Mantis source tree. D |
From: Roland B. <ro...@at...> - 2012-08-06 15:35:56
|
> That's platform-dependant, so we can't use this as a global solution, I agree, but we deliver also platform dependant .htaccess to restrict access rights. (for example in core subdirectory) Maybe this has been introduced to avoid security issues if MantisBT is installed by dumb administrators, shared hosting, .... Some kind of "minimum default security" out of the box. I hope that also some of the more experienced MantisBT developers will respond to share their knowledge. Damien Regad <dam...@me...> hat am 6. August 2012 um 16:21 geschrieben:> On 05/08/12 22:39, Roland Becker wrote: > > I found that we use empty index.html files for example in most of the > > library subdirectories to prevent browsing. Maybe using an empty > > index.html is not the clean way for it, but works with most of the > > web servers. > > I was thinking about doing that actually, hence my original message. > > > For Apache you can create a .htacess file in root directory of MantisBT > > to prevent directory browsing also for all subdirectories. > > That's platform-dependant, so we can't use this as a global solution, > and it goes back to what I wrote in the Issue, i.e. it's basically a web > server config problem. > > At the end of the day, even with the index.html, users have an easy way > of finding the names (and even contents) of the files as well as the > directories structure so it maybe quite pointless to try and hide them > (I guess that's what rombert meant by > > > Robert Munteanu <rob...@gm...> hat am 2. August 2012 um 11:09 > >> What would we gain? It's not like we hide the files we have in the > >> Mantis source tree. > > D > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mantisbt-dev mailing list > man...@li... > https://lists.sourceforge.net/lists/listinfo/mantisbt-dev |
From: John R. <jo...@no...> - 2012-08-06 16:13:53
|
The real question is what security problem are you honestly trying to solve by adding index.html? Because I can guarantee that index.html (or even `Options -Indexes`) will not solve it at all. Hiding indexes is security through obscurity, not real security. If you have sensitive data or scripts in your MantisBT directory, then either you shouldn't have it in a public web root, or you should be configuring your server to protect it in some other way, like password or certificate based authentication. Fix the root cause of the security issue. Don't try to wallpaper over the problem by turning off indexes ASD hoping no one will ever guess or find a link to what you're trying to hide. Certainly don't give users a false sense of security by handing out free index.html files all over the code base. On Aug 6, 2012 8:36 AM, "Roland Becker" <ro...@at...> wrote: > > That's platform-dependant, so we can't use this as a global solution, > I agree, but we deliver also platform dependant .htaccess to restrict > access > rights. (for example in core subdirectory) > Maybe this has been introduced to avoid security issues if MantisBT is > installed > by dumb administrators, shared hosting, .... > Some kind of "minimum default security" out of the box. > > I hope that also some of the more experienced MantisBT developers will > respond > to share their knowledge. > > Damien Regad <dam...@me...> hat am 6. August 2012 um 16:21 > geschrieben:> On 05/08/12 22:39, Roland Becker wrote: > > > I found that we use empty index.html files for example in most of the > > > library subdirectories to prevent browsing. Maybe using an empty > > > index.html is not the clean way for it, but works with most of the > > > web servers. > > > > I was thinking about doing that actually, hence my original message. > > > > > For Apache you can create a .htacess file in root directory of MantisBT > > > to prevent directory browsing also for all subdirectories. > > > > That's platform-dependant, so we can't use this as a global solution, > > and it goes back to what I wrote in the Issue, i.e. it's basically a web > > server config problem. > > > > At the end of the day, even with the index.html, users have an easy way > > of finding the names (and even contents) of the files as well as the > > directories structure so it maybe quite pointless to try and hide them > > (I guess that's what rombert meant by > > > > > Robert Munteanu <rob...@gm...> hat am 2. August 2012 um > 11:09 > > >> What would we gain? It's not like we hide the files we have in the > > >> Mantis source tree. > > > > D > > > > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > mantisbt-dev mailing list > > man...@li... > > https://lists.sourceforge.net/lists/listinfo/mantisbt-dev > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mantisbt-dev mailing list > man...@li... > https://lists.sourceforge.net/lists/listinfo/mantisbt-dev > |
From: Roland B. <ro...@at...> - 2012-08-06 19:54:00
|
> Certainly don't give users a false > sense of security by handing out free index.html files all over the code > base. +1 So this means we should be able to remove all existing .htaccess and index.html files if there is a clean solution!? .htaccess has been introduced in 1.1.x to fix issue 8286 [1] Removing the file will introduce other issues because we do not ensure that some of our files can't be called by browser. We will get PHP errors and warnings. For example have a look at this issue [2] which is caused by not having a .htaccess file for the plugin directory. Or try removing core/.htaccess and access access_api.php You will get: Fatal error: require_once() [function.require]: Failed opening required 'config_filter_defaults_inc.php' There is hardly any file in the core directory which will not throw errors. Does it mean there is no other clean solution than the way we protect for example bug_view_inc.php? if ( !defined( 'BUG_VIEW_INC_ALLOW' ) ) { access_denied(); } Probably nothing which should be changed in master-1.2.x. I am no PHP / Web developer. I can't believe that there is no better solution for this. But seems that also other developers are using this construct. [3] Maybe rearranging all files the way it's done in next branch is the right approach. [4] Seems that the public directory is the one and only directory which holds the files which should be accessed by the browser. What about the following compromise for master-1.2.x? Use the .htaccess file from directory core also for directories library and plugins. I know, it's not working with IIS [5] and also not working for directory api/soap. No more ideas at the moment ... [1] https://github.com/mantisbt/mantisbt/commit/a4e2dca48a4714b5b91aa815f3300150835062f1#core/.htaccess [2] http://www.mantisbt.org/bugs/view.php?id=14538 [3] http://stackoverflow.com/questions/1340001/deny-direct-access-to-all-php-files-except-index-php [4] https://github.com/mantisbt/mantisbt/tree/next/public [5] http://learn.iis.net/page.aspx/557/translate-htaccess-content-to-iis-webconfig/ John Reese <jo...@no...> hat am 6. August 2012 um 18:13 geschrieben:> The real question is what security problem are you honestly trying to solve > by adding index.html? Because I can guarantee that index.html (or even > `Options -Indexes`) will not solve it at all. Hiding indexes is security > through obscurity, not real security. > > If you have sensitive data or scripts in your MantisBT directory, then > either you shouldn't have it in a public web root, or you should be > configuring your server to protect it in some other way, like password or > certificate based authentication. > > Fix the root cause of the security issue. Don't try to wallpaper over the > problem by turning off indexes ASD hoping no one will ever guess or find a > link to what you're trying to hide. Certainly don't give users a false > sense of security by handing out free index.html files all over the code > base. > On Aug 6, 2012 8:36 AM, "Roland Becker" <ro...@at...> wrote: > > > > That's platform-dependant, so we can't use this as a global solution, > > I agree, but we deliver also platform dependant .htaccess to restrict > > access > > rights. (for example in core subdirectory) > > Maybe this has been introduced to avoid security issues if MantisBT is > > installed > > by dumb administrators, shared hosting, .... > > Some kind of "minimum default security" out of the box. > > > > I hope that also some of the more experienced MantisBT developers will > > respond > > to share their knowledge. > > > > Damien Regad <dam...@me...> hat am 6. August 2012 um 16:21 > > geschrieben:> On 05/08/12 22:39, Roland Becker wrote: > > > > I found that we use empty index.html files for example in most of the > > > > library subdirectories to prevent browsing. Maybe using an empty > > > > index.html is not the clean way for it, but works with most of the > > > > web servers. > > > > > > I was thinking about doing that actually, hence my original message. > > > > > > > For Apache you can create a .htacess file in root directory of MantisBT > > > > to prevent directory browsing also for all subdirectories. > > > > > > That's platform-dependant, so we can't use this as a global solution, > > > and it goes back to what I wrote in the Issue, i.e. it's basically a web > > > server config problem. > > > > > > At the end of the day, even with the index.html, users have an easy way > > > of finding the names (and even contents) of the files as well as the > > > directories structure so it maybe quite pointless to try and hide them > > > (I guess that's what rombert meant by > > > > > > > Robert Munteanu <rob...@gm...> hat am 2. August 2012 um > > 11:09 > > > >> What would we gain? It's not like we hide the files we have in the > > > >> Mantis source tree. > > > > > > D > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Live Security Virtual Conference > > > Exclusive live event will cover all the ways today's security and > > > threat landscape has changed and how IT managers can respond. Discussions > > > will include endpoint security, mobile security and the latest in malware > > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > _______________________________________________ > > > mantisbt-dev mailing list > > > man...@li... > > > https://lists.sourceforge.net/lists/listinfo/mantisbt-dev > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > mantisbt-dev mailing list > > man...@li... > > https://lists.sourceforge.net/lists/listinfo/mantisbt-dev > > |