LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page SCGIMount on apache2 bypasses Order Allow,Deny
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 11-19-2011, 03:55 PM   #1
Vitus13
LQ Newbie
 
Registered: Oct 2011
Posts: 14

Rep: Reputation: Disabled
Exclamation SCGIMount on apache2 bypasses Order Allow,Deny

I created a fresh VirtualHost to test this because at first I didn't believe what I was seeing.

Here's a fresh Apache config:
Code:
<VirtualHost *:81>
        ServerAdmin xxxx@xxx.xxx
        ServerName  www.xxxxx.xxx:81
        DocumentRoot /var/www
        LogLevel warn
        ErrorLog /var/log/apache2/altport-error.log
        CustomLog /var/log/apache2/altport-access.log combined
        <Directory />
                Options FollowSymLinks
                AllowOverride None
                Order allow,deny
                Deny from all
        </Directory>
        <Directory /var/www>
                Order allow,deny
                Allow from all
        </Directory>
        <Directory /var/www/log>
                Order allow,deny
                Deny from all
        </Directory>
</VirtualHost>
Everything works as it should, no requests from xxxxx.xxx:81/log are served. Now, delete the log folder and add the following line to the config:
Code:
SCGIMount /log 127.0.0.1:5000
Now visiting /log gives a 500 Internal Server Error, which is a sign that the xmlrpc-c server sitting at 127.0.0.1:5000 is world accessible!

Does anyone know why mod_authz_host doesn't work on SCGI Mounts?
 
Old 11-26-2011, 12:39 PM   #2
Vitus13
LQ Newbie
 
Registered: Oct 2011
Posts: 14

Original Poster
Rep: Reputation: Disabled
*bump*

If I'm doing this wrong, let me know.
 
Old 12-07-2011, 11:39 PM   #3
Vitus13
LQ Newbie
 
Registered: Oct 2011
Posts: 14

Original Poster
Rep: Reputation: Disabled
19 days since posting
So it seems I've either stumped the internet at large or done something so completely dumb that it didn't even merit a "RTFM".

EDIT:
I shot an email over at the Apache Users Email List and I can't thank them enough for their help. A helpful reader shot back a reply indicating that since the SCGIMount is not a filesystem location it would not fall under the domain of <Directory> but rather <Location>.

Simply adjusting the following part of the config resulted in immediate success.
Code:
#Edit this:
<Directory /var/www/log>
    Order allow,deny
    Deny from all
</Directory>

#To be this:
<Location /log>
    Order allow,deny
    Deny from all
</Location>
Hopefully this helps someone in the future.
Last edited by Vitus13; 12-09-2011 at 11:46 AM. Reason: Found Solution
 
  


Reply

Tags
apache2, config, rpc, security, xml


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
apache2: page allocation failure. order:0, mode:0x20 minime Linux - Server 3 04-06-2009 03:38 AM
ProxyPass bypasses authentication t0bias Linux - Server 0 03-09-2009 09:44 PM
apache2.conf - Deny from ... lothario Linux - Server 2 09-15-2008 09:07 PM
Boot process bypasses amiro Debian 1 11-25-2007 10:35 PM
Apache2 > "order allow,deny" to allow subdirectories cbonar Linux - Server 13 10-27-2007 03:08 PM


All times are GMT -5. The time now is 11:22 AM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
 
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration