414 lines
5.7 KiB
HTML
414 lines
5.7 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Web server</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
|
|
REL="HOME"
|
|
TITLE="The Bugzilla Guide - 3.6.1
|
|
Release"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Bugzilla Security"
|
|
HREF="security.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Operating System"
|
|
HREF="security-os.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Bugzilla"
|
|
HREF="security-bugzilla.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>The Bugzilla Guide - 3.6.1
|
|
Release</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="security-os.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 4. Bugzilla Security</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="security-bugzilla.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="security-webserver"
|
|
>4.2. Web server</A
|
|
></H1
|
|
><DIV
|
|
CLASS="section"
|
|
><H2
|
|
CLASS="section"
|
|
><A
|
|
NAME="security-webserver-access"
|
|
>4.2.1. Disabling Remote Access to Bugzilla Configuration Files</A
|
|
></H2
|
|
><P
|
|
> There are many files that are placed in the Bugzilla directory
|
|
area that should not be accessible from the web server. Because of the way
|
|
Bugzilla is currently layed out, the list of what should and should not
|
|
be accessible is rather complicated. A quick way is to run
|
|
<TT
|
|
CLASS="filename"
|
|
>testserver.pl</TT
|
|
> to check if your web server serves
|
|
Bugzilla files as expected. If not, you may want to follow the few
|
|
steps below.
|
|
</P
|
|
><DIV
|
|
CLASS="tip"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="tip"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/tip.gif"
|
|
HSPACE="5"
|
|
ALT="Tip"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>Bugzilla ships with the ability to create
|
|
<A
|
|
HREF="glossary.html#gloss-htaccess"
|
|
><I
|
|
CLASS="glossterm"
|
|
><TT
|
|
CLASS="filename"
|
|
>.htaccess</TT
|
|
></I
|
|
></A
|
|
>
|
|
files that enforce these rules. Instructions for enabling these
|
|
directives in Apache can be found in <A
|
|
HREF="configuration.html#http-apache"
|
|
>Section 2.2.4.1</A
|
|
>
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>In the main Bugzilla directory, you should:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>Block:
|
|
<TT
|
|
CLASS="filename"
|
|
>*.pl</TT
|
|
>, <TT
|
|
CLASS="filename"
|
|
>*localconfig*</TT
|
|
>
|
|
</P
|
|
></LI
|
|
></UL
|
|
></LI
|
|
><LI
|
|
><P
|
|
>In <TT
|
|
CLASS="filename"
|
|
>data</TT
|
|
>:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>Block everything</P
|
|
></LI
|
|
></UL
|
|
></LI
|
|
><LI
|
|
><P
|
|
>In <TT
|
|
CLASS="filename"
|
|
>data/webdot</TT
|
|
>:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>If you use a remote webdot server:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>Block everything</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>But allow
|
|
<TT
|
|
CLASS="filename"
|
|
>*.dot</TT
|
|
>
|
|
only for the remote webdot server</P
|
|
></LI
|
|
></UL
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Otherwise, if you use a local GraphViz:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>Block everything</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>But allow:
|
|
<TT
|
|
CLASS="filename"
|
|
>*.png</TT
|
|
>, <TT
|
|
CLASS="filename"
|
|
>*.gif</TT
|
|
>, <TT
|
|
CLASS="filename"
|
|
>*.jpg</TT
|
|
>, <TT
|
|
CLASS="filename"
|
|
>*.map</TT
|
|
>
|
|
</P
|
|
></LI
|
|
></UL
|
|
></LI
|
|
><LI
|
|
><P
|
|
>And if you don't use any dot:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>Block everything</P
|
|
></LI
|
|
></UL
|
|
></LI
|
|
></UL
|
|
></LI
|
|
><LI
|
|
><P
|
|
>In <TT
|
|
CLASS="filename"
|
|
>Bugzilla</TT
|
|
>:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>Block everything</P
|
|
></LI
|
|
></UL
|
|
></LI
|
|
><LI
|
|
><P
|
|
>In <TT
|
|
CLASS="filename"
|
|
>template</TT
|
|
>:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
><P
|
|
>Block everything</P
|
|
></LI
|
|
></UL
|
|
></LI
|
|
></UL
|
|
><P
|
|
>Be sure to test that data that should not be accessed remotely is
|
|
properly blocked. Of particular interest is the localconfig file which
|
|
contains your database password. Also, be aware that many editors
|
|
create temporary and backup files in the working directory and that
|
|
those should also not be accessible. For more information, see
|
|
<A
|
|
HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=186383"
|
|
TARGET="_top"
|
|
>bug 186383</A
|
|
>
|
|
or
|
|
<A
|
|
HREF="http://online.securityfocus.com/bid/6501"
|
|
TARGET="_top"
|
|
>Bugtraq ID 6501</A
|
|
>.
|
|
To test, simply run <TT
|
|
CLASS="filename"
|
|
>testserver.pl</TT
|
|
>, as said above.
|
|
</P
|
|
><DIV
|
|
CLASS="tip"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="tip"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/tip.gif"
|
|
HSPACE="5"
|
|
ALT="Tip"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>Be sure to check <A
|
|
HREF="configuration.html#http"
|
|
>Section 2.2.4</A
|
|
> for instructions
|
|
specific to the web server you use.
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="security-os.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="security-bugzilla.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Operating System</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="security.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Bugzilla</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |