You are here: Foswiki>Tasks Web>Item9243 (24 Dec 2014, GeorgeClark)Edit Attach

Item9243: configure checker to test that all scripts (er, or files) in foswiki/bin are secured in htaccess or localsite

Priority: Enhancement
Current State: Confirmed
Released In: n/a
Target Release: n/a
Applies To: Engine
Component: Configure
Reported By: SvenDowideit
Waiting For:
Last Change By: GeorgeClark
basically, we want to make sure that if an extension adds a new cgi, that the admin knows about it, and is able to make sure its secured appropriatly.

similarly, my bin has an nytprof.out file - and that should be highlighted.

-- SvenDowideit - 02 Jul 2010

I was thinking about this a bit, but in many installations, bin is protected in the apache configuration, not .htaccess files. Any thoughts on how configure could actually examine the active httpd configuration? Given how few sites actually use the .htaccess files, it doesn't make sense to try to base a checker around them for the validation. I have not found any examples of a cgi script actually validating the contents of the server configuration.

I wonder if another option would be to secure all files in bin with a wildcard and then unsecure the ones that should be open. This would result in auto protection of new additions. Same for the LocalSite.cfg variable. Deprecate the list of protected scripts and instead use a list of "open" scripts with everything else protected.

As far as validating the LocalSite.cfg protections, this would probably make more sense in a "scenario" wizard - depending upon the type of site you run would require different list of protected scripts.

-- GeorgeClark - 23 Jul 2010

Confirmed... but only partially. No idea how to determine that the web server (apache, nginx, IIS, etc) is providing proper protection.

-- GeorgeClark - 24 Dec 2014

ItemTemplate edit

Summary configure checker to test that all scripts (er, or files) in foswiki/bin are secured in htaccess or localsite
ReportedBy SvenDowideit
Codebase trunk
SVN Range
AppliesTo Engine
Component Configure
Priority Enhancement
CurrentState Confirmed
TargetRelease n/a
ReleasedIn n/a
Topic revision: r4 - 24 Dec 2014, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy