This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "SCG WS Apache"
| Line 1: | Line 1: | ||
{{Template:OWASP Secure Configuration Guide}} | {{Template:OWASP Secure Configuration Guide}} | ||
| − | + | == Summary == | |
| − | + | The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors. | |
| + | |||
| + | |||
| + | == Common Misconfigurations == | ||
| + | |||
| + | === Misconfiguration 1 === | ||
| + | ==== Description ==== | ||
| + | |||
| + | %ProductName% allows unauthorized attacker to list all users of the system ... | ||
| + | |||
| + | // Detailed description of the impact. Is it enabled by default? Vulnerable versions. | ||
| + | |||
| + | ==== How to test ==== | ||
| + | |||
| + | In order to test for %Misconfiguration_1%, one should ... | ||
| + | |||
| + | // Proof-of-concept here. Please include the screenshots and widely known tools/scanners! | ||
| + | |||
| + | ==== Remediation ==== | ||
| + | |||
| + | Initial/common value of parameter "listUsers" from config.xml is set to "true". | ||
| + | |||
| + | To assess the vulnerability it is enough to change the value to false: | ||
| + | |||
| + | <pre> | ||
| + | <security> | ||
| + | <listUsers>false</listUsers> | ||
| + | </security> | ||
| + | </pre> | ||
| + | |||
== Misconfigurations == | == Misconfigurations == | ||
Revision as of 06:22, 10 January 2015
This article is part of the OWASP Secure Configuration Guide.
Back to the OWASP Secure Configuration Guide ToC: https://www.owasp.org/index.php/Secure_Configuration_Guide Back to the OWASP Secure Configuration Guide Project: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide
Summary
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.
Common Misconfigurations
Misconfiguration 1
Description
%ProductName% allows unauthorized attacker to list all users of the system ...
// Detailed description of the impact. Is it enabled by default? Vulnerable versions.
How to test
In order to test for %Misconfiguration_1%, one should ...
// Proof-of-concept here. Please include the screenshots and widely known tools/scanners!
Remediation
Initial/common value of parameter "listUsers" from config.xml is set to "true".
To assess the vulnerability it is enough to change the value to false:
<security> <listUsers>false</listUsers> </security>
Misconfigurations
Please also mention /server-status !
1. Version details disclosed in headers disable apache tokens
2. Proper SSL cipher selection
Cipher orders
Disable specific ciphers
3. Guidelines on how to store ssl private keys on server stuff like not to store private keys on /var/www/
4. Detailing about various authentication types
basic, digest, X509, LDAP or others.
Detailing about authoentication types and which one to use in which situation.
References
https://httpd.apache.org/docs/current/misc/security_tips.html
