W Misconfigured Web Servers







Risk Rating:


A web server that isn't configured securely can leak large amounts of information and can leave your web server vulnerable to various attacks. Default web server configurations generally have a number of insecure settings. By default, Apache is a relatively secure web server; however, it still requires a little tweaking when used for production purposes.

This is especially the case when Apache is distributed within a preconfigured Linux distribution like Debian. Default files and directories include the Apache manual pages, the /icons/ and /icons/small/ directories, the /cgi-bin/ directory, readme files, and welcome pages. These allow the attacker to gather information other than what is placed on the Internet for production purposes, possibly allowing him or her to determine the web server type, version, and configuration. Default web server configurations may also allow directory listings to take place, enabling the web server directory structure to be enumerated and additional default files and directories to be browsed.

Apache has a default allow access control methodology, which means that, by default, all files within the web server's webspace will be accessible through the web service. It is quite common for sensitive, private, or confidential files and information to be stored within the webspace of web servers, and by default, these are exposed to the Internet. Unreferenced files and directories, including various web application configuration files, backup and temporary files, as well as unreferenced web applications and administrative interfaces, are commonly available to the Internet due to the lack of access controls implemented on the web server.

These unreferenced files can cause a large number of security issues ranging from enumerating internal system information, discovering insecure configuration files, downloading web application source code, and brute-forcing access to administrative web interfaces, to serious breaches of confidentiality agreements. If vulnerable software is in use, Google hacking may also be employed, where attackers have an exploit for a particular version of a web application and are able to use Google's search functionality to find vulnerable companies—then it's just like shooting fish in a barrel. The Google Hacking Database (http://johnny.ihackstuff.com/ghdb.php) is a great way to find vulnerable software located on the Internet. This website categorizes various types of sensitive information and functionality that has been indexed by Google such as usernames and passwords for a range of web applications, open web cameras that you can move around and zoom, as well as misconfigured or vulnerable web application software including open router web interfaces that will allow you to set up a VPN server and account to gain access to an organization's internal network.

The FollowSymLinks directive is also commonly enabled by default, which, combined with other vulnerabilities or misconfigurations, may allow an attacker to gain read access to arbitrary files throughout the server filesystem. If an attacker is able to create a symlink on the web server that points to the /etc/passwd file, then simply requesting the symlink will result in the contents of this file being returned, allowing the attacker to enumerate all accounts on the system. If the web server was configured to run as the root user then the /etc/shadow file could also be downloaded, allowing password hashes to be captured and cracked offline. Web servers should not be configured to run as the root user to ensure that any exploited vulnerabilities or misconfigurations are limited in what can be compromised.

This also means that permissions on directories and files related to the web server also need to be configured so the nonprivileged web server user is unable to overwrite key files or directories. Imagine if the Apache httpd binary was writable by this nonprivileged user and could, therefore, be replaced by an attacker. The next time the httpd binary is run it could create a backdoor on the system. Similarly, if the web server user is able to overwrite production web pages or log files, an attacker may be able to deface the website and destroy any evidence of an attack within the web server logs.

Administrators should be careful when enabling the UserDir directive, which allows system users to have a website located under their home directory. By requesting the web directory /~jdoe/, the web server will attempt to load the website located under the jdoe home directory, generally in a folder called public_html. This poses a number of serious security issues. An attacker may be able to brute-force a list of valid user accounts on the system by requesting various user websites, determining whether they exist or not. Burp Suite Intruder is a fantastic tool for this type of attack. If the root user is also configured to have a user website, and directory listings are enabled, then by requesting the web directory / ~root/, an attacker may be able to browse the entire filesystem, gaining access to large amounts of sensitive information.

Default Linux distributions may also come with enhancements to the Apache web server, such as Python, PHP, and Perl modules. These additional components also need to be configured and upgraded to ensure that unexpected vulnerabilities don't arise. For example, if a web application utilizes PHP, but the web server is not configured to map the .php filename extensions to the PHP application, then the source code will be passed to the attacker rather than being parsed by the PHP module. An attacker is then able to examine the PHP source code to determine whether any security weaknesses exist or gather access to sensitive information such as database query strings, usernames, and passwords.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment