ciac-J-042.web.security.txt

`Date: Tue, 18 May 1999 09:09:34 -0700 (PDT)  
From: CIAC Mail User <[email protected]>  
To: [email protected]  
Subject: CIAC Bulletin J-042: Web Security  
  
[ For Public Release ]  
-----BEGIN PGP SIGNED MESSAGE-----  
  
__________________________________________________________  
  
The U.S. Department of Energy  
Computer Incident Advisory Capability  
___ __ __ _ ___  
/ | /_\ /  
\___ __|__ / \ \___  
__________________________________________________________  
  
INFORMATION BULLETIN  
  
Web Security  
  
May 17, 1999 21:00 GMT Number J-042  
______________________________________________________________________________  
PROBLEM: Public web servers continue to be attractive targets for  
hackers seeking to embarrass organizations or promote a  
political agenda. Good security practices can protect your site  
from the risks such compromises create.  
PLATFORM: Any Unix platform or NT system being used as a web server.  
DAMAGE: Damage can be anything from a denial-of-service attack, the  
placement of pornographic material, the posting of political  
messages, or the deletion of files or the placement of  
malicious software.  
SOLUTION: Follow known best practices and apply software patches as soon  
as they are announced by your incident response team or your  
vendor.  
______________________________________________________________________________  
VULNERABILITY Public web sites are hacked on an almost daily basis; the  
ASSESSMENT: threat that your site could be compromised is real.  
______________________________________________________________________________  
  
  
BEST PRACTICES IN MANAGING WORLD WIDE WEB SERVER SECURITY:  
  
1. Place your web server(s) in a DMZ. Set your firewall to drop connections  
to your web server on all ports but http (port 80) or https (port 443).  
2. Remove all unneeded services from your web server, keeping FTP (but only  
if you need it) and a secure login capability such as secure shell. An  
unneeded service can become an avenue of attack.  
3. Disallow all remote administration unless it is done using a one-time  
password or an encrypted link.  
4. Limit the number of persons having administrator or root level access.  
5. Log all user activity and maintain those logs either in an encrypted form  
on the web server or store them on a separate machine on your Intranet.  
6. Monitor system logs regularly for any suspicious activity. Install some  
trap macros to watch for attacks on the server (such as the PHF attack).  
Create macros that run every hour or so that would check the integrity of  
passwd and other critical files. When the macros detect a change, they  
should send an e-mail to the system manager.  
7. Remove ALL unnecessary files such as phf from the scripts directory  
/cgi-bin.  
8. Remove the "default" document trees that are shipped with Web  
servers such as IIS and ExAir.  
9. Apply all relevant security patches as soon as they are announced.  
10. If you must use a GUI interface at the console, remove the commands that  
automatically start the window manager from the .RC startup directories  
and then create a startup command for the window manager. You can then  
use the window manager when you need to work on the system, but shut it  
down when you are done. Do not leave the window manager running for any  
extended length of time.  
11. If the machine must be administered remotely, require that a secure  
capability such as secure shell is used to make a secure connection.   
Do not allow telnet or non-anonymous ftp (those requiring a username and  
password) connections to this machine from any untrusted site. It would  
also be good to limit these connections only to a minimum number of  
secure machines and have those machines reside within your Intranet.  
12. Run the web server in a chroot-ed part of the directory tree so it cannot  
access the real system files.  
13. Run the anonymous FTP server (if you need it) in a chroot-ed part of the  
directory tree that is different from the web server's tree.  
14. Do all updates from your Intranet. Maintain your web page originals on a  
server on your Intranet and make all changes and updates here; then  
"push" these updates to the public server through an SSL connection.  
If you do this on a hourly basis, you can avoid having a corrupted server  
exposed for a long period of time.  
15. Scan your web server periodically with tools like ISS or nmap to look for  
vulnerabilities.  
16. Have intrusion detection software monitor the connections to the server.  
Set the detector to alarm on known exploits and suspicious activities and  
to capture these sessions for review. This information can help you  
recover from an intrusion and strengthen your defenses.  
  
  
BULLETINS PUBLISHED RELATING TO WEB SERVERS:  
  
==========  
  
UNIX Systems  
  
CIAC Bulletins:  
  
F-11: Unix NCSA httpd Vulnerability   
http://www.ciac.org/ciac/bulletins/f-11.shtml  
  
H-01: Vulnerabilities in bash   
http://www.ciac.org/ciac/bulletins/h-01.shtml  
  
I-024: CGI Security Hole in EWS1.1 Vulnerability   
http://www.ciac.org/ciac/bulletins/i-024.shtml  
  
I-082: HP-UX Netscape Servers Vulnerability   
http://www.ciac.org/ciac/bulletins/i-082.shtml  
  
I-040: SGI Netscape Navigator Vulnerabilities   
http://www.ciac.org/ciac/bulletins/i-040.shtml  
  
Other Bulletins:  
  
Domino 4.6 may allow unauthorized writes to remote server drives and  
server configuration files.  
http://www.l0pht.com/advisories/domino2.txt  
  
Excite 1.1 may set encrypted password files world writable.  
BUGTRAQ Mail Archives: "Security bugs in Excite for Web Servers 1.1"  
at http://www.netspace.org/cgi-bin/wa?A2=ind9811e&L=bugtraq&F=&S=&P=519  
  
ColdFusion Application Server and unauthorized access to web server data.  
http://www.excite.com/computers_and_internet/tech_news/zdnet/  
?article=/news/19990429/1014542.inp  
  
==========  
  
Windows Systems  
  
CIAC Bulletins:  
  
I-024: CGI Security Hole in EWS1.1 Vulnerability   
http://www.ciac.org/ciac/bulletins/i-024.shtml  
  
I-025A: Windows NT based Web Servers File Access Vulnerability   
http://www.ciac.org/ciac/bulletins/i-025a.shtml  
  
Microsoft bulletins can be found under the Microsoft Security  
Advisor web page at  
  
http://www.microsoft.com/security/default.asp  
  
The following bulletins appeared in "Current Security Bulletins"  
and "Security Bulletin Archives":  
  
MS99-013: Solution Available for File Viewers Vulnerability. (May 7, 1999)   
  
MS99-012: MSHTML Update Available for Internet Explorer. (April 21, 1999)  
  
MS99-011: Patch Available for "DHTML Edit" Vulnerability. (April 21, 1999)   
  
MS98-019: Patch Available for IIS "GET" Vulnerability. (December 21, 1998)  
  
MS98-016: Update available for "Dotless IP Address" Issue in Microsoft  
Internet Explorer 4. (October 23, 1998)  
  
MS98-011: Update Available for "Window.External" JScript Vulnerability  
in Microsoft Internet Explorer 4.0. (August 17, 1998)  
  
MS98-004: Unauthorized ODBC Data Access with Remote Data Services and  
Inernet Information Systems. (July 15, 1998)  
  
Other Bulletins:  
  
"ISAPI Extension vulnerability allows to execute code as SYSTEM" at:   
http://www.ntbugtraq.com/page_archives_wa.asp?A2=ind9903&L=  
ntbugtraq&F=P&S=&P=2439  
  
Internet Explorer 5.0 cached passwords can be reused by another user.  
http://www.zdnet.com/zdnn/stories/news/0,4586,1014586,00.html  
http://www.zdnet.com/anchordesk/story/story_3351.html  
  
Internet Explorer (3.01, 3.02, 4.0, 4.01) may allow frame spoofing to  
trick the user  
Microsoft Knowledgebase Article ID: Q167614: "Update Available For  
"Frame Spoof" Security Issue"  
http://support.microsoft.com/support/kb/articles/q167/6/14.asp  
  
==========  
  
Systems running NCSA HTTPD and Apache HTTPD  
  
CIAC Bulletins:  
  
G-17: Vulnerabilities in Sample HTTPD CGIs  
http://ciac.llnl.gov/ciac/bulletins/g-17.shtml  
  
G-20: Vulnerability in NCSA and Apache httpd Servers   
http://www.ciac.org/ciac/bulletins/g-20.shtml  
  
Other Bulletins:  
  
Apache denial-of-service attack -- Apache httpd (1.2.x, 1.3b3)  
http://www.netspace.org/cgi-bin/wa?A1=ind9712e&L=bugtraq#2  
http://www.apache.org/dist/patches/apply_to_1.2.4/  
no2slash-loop-fix.patch  
http://www.apache.org/dist/patches/apply_to_1.3b3/  
no2slash-loop-fix.patch  
  
"HTTP REQUEST_METHOD flaw"  
http://www.netspace.org/cgi-bin/wa?A2=ind9901a&L=bugtraq&F=  
&S=&P=8530  
  
==========  
  
Systems running Netscape Navigator  
  
CIAC Bulletins:  
  
H-76: Netscape Navigator Security Vulnerability   
http://www.ciac.org/ciac/bulletins/h-76.shtml  
  
I-082: HP-UX Netscape Servers Vulnerability   
http://www.ciac.org/ciac/bulletins/i-082.shtml  
  
I-040: SGI Netscape Navigator Vulnerabilities   
http://www.ciac.org/ciac/bulletins/i-040.shtml  
  
Other Bulletins:  
  
"Reading local files with Netscape Communicator 4.5" at  
http://www.geocities.com/ResearchTriangle/1711/b6.html  
  
Netscape Navigator may allow frame spoofing to trick the user  
Netscape Security Update: "The Frame-Spoofing Vulnerability"  
http://home.netscape.com/products/security/resources/bugs/  
framespoofing.html  
  
==========  
  
System running cgi-bin routines  
  
CIAC Bulletins:  
  
I-013: Count.cgi Buffer Overrun Vulnerability   
http://www.ciac.org/ciac/bulletins/i-013.shtml  
  
I-014: Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages   
http://www.ciac.org/ciac/bulletins/i-014.shtml  
  
Other Bulletins:  
  
IRIX webdist.cgi, handler and wrap programs  
ftp://sgigate.sgi.com/security/19970501-02-PX  
ftp://info.cert.org/pub/cert_advisories/CA-97.12.webdist  
  
"Nlog 1.1b released - security holes fixed"  
http://www.netspace.org/cgi-bin/wa?A2=ind9812d&L=bugtraq&F=&S=  
&P=10302  
http://owned.comotion.org/~spinux/index.html  
  
==========  
  
CIAC also published a document called Securing Internet Information  
Servers which has a chapter on Securing World Wide Web Servers   
http://www.ciac.org/ciac/documents/ciac2308.html  
  
  
There are other resources that CIAC recommends for additional guidance.  
The first is a publication that was developed by SANS and The Intranet  
Institute after the web server at the U.S. Department of Justice was  
hacked--"Twelve Mistakes To Avoid In Managing Security-For the Web."  
The document can be found at:  
http://www.computerworld.com/home/online9697.nsf/all/971001secure.  
SANS also publishes a document called "14 Steps to Avoiding Disaster  
with Your Web Site."  
  
Another web site that you should book mark is http://www.w3.org/Security/faq/.  
This is a web security FAQ (Frequently Asked Questions) that is maintained  
by The World Wide Web Consortium http://www.w3.org/. They have security  
sections for each of the major operating systems used today for web servers:  
http://www.w3.org/Security/faq/wwwsf8.html.  
  
IF YOUR WEB SITE HAS BEEN HACKED:  
CIAC recommends the following as you check your web servers:  
1. Apply ALL security-related patches for the web server software as well  
as for the underlying Operating System.  
2. Remove ALL unnecessary files such as phf from the scripts directory  
/cgi-bin. Remove the "default" document trees that are shipped with Web  
servers such as IIS and ExAir.  
3. Validate ALL user accounts on the web server and ensure that they have   
strong passwords.  
4. Validate ALL services and open ports on the web server to ensure there  
are no Trojanned services.  
5. Look for suspicious files in the /dev, /etc, and /tmp directories.  
  
______________________________________________________________________________  
  
  
CIAC, the Computer Incident Advisory Capability, is the computer  
security incident response team for the U.S. Department of Energy  
(DOE) and the emergency backup response team for the National  
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore  
National Laboratory in Livermore, California. CIAC is also a founding  
member of FIRST, the Forum of Incident Response and Security Teams, a  
global organization established to foster cooperation and coordination  
among computer security teams worldwide.  
  
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC  
can be contacted at:  
Voice: +1 925-422-8193  
FAX: +1 925-423-8002  
STU-III: +1 925-423-2604  
E-mail: [email protected]  
  
For emergencies and off-hour assistance, DOE, DOE contractor sites,  
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -  
8AM PST), use one of the following methods to contact CIAC:  
  
1. Call the CIAC voice number 925-422-8193 and leave a message, or  
  
2. Call 888-449-8369 to send a Sky Page to the CIAC duty person  
(PIN number 8550070), or  
  
3. Send e-mail to [email protected], or  
  
4. Call 800-201-9288 for the CIAC Project Leader.  
  
Previous CIAC notices, anti-virus software, and other information are  
available from the CIAC Computer Security Archive.  
  
World Wide Web: http://www.ciac.org/  
(or http://ciac.llnl.gov)  
Anonymous FTP: ftp.ciac.org  
(or ciac.llnl.gov)  
Modem access: +1 (925) 423-4753 (28.8K baud)  
+1 (925) 423-3331 (28.8K baud)  
  
  
CIAC has several self-subscribing mailing lists for electronic  
publications:  
1. CIAC-BULLETIN for Advisories, highest priority - time critical  
information and Bulletins, important computer security information;  
2. SPI-ANNOUNCE for official news about Security Profile Inspector  
(SPI) software updates, new features, distribution and  
availability;  
3. SPI-NOTES, for discussion of problems and solutions regarding the  
use of SPI products.  
  
Our mailing lists are managed by a public domain software package  
called Majordomo, which ignores E-mail header subject lines. To  
subscribe (add yourself) to one of our mailing lists, send the  
following request as the E-mail message body, substituting  
ciac-bulletin, spi-announce OR spi-notes for list-name:  
  
E-mail to [email protected] or [email protected]:  
subscribe list-name  
e.g., subscribe ciac-bulletin  
  
You will receive an acknowledgment email immediately with a confirmation  
that you will need to mail back to the addresses above, as per the  
instructions in the email. This is a partial protection to make sure  
you are really the one who asked to be signed up for the list in question.  
  
If you include the word 'help' in the body of an email to the above address,  
it will also send back an information file on how to subscribe/unsubscribe,  
get past issues of CIAC bulletins via email, etc.  
  
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing  
communities receive CIAC bulletins. If you are not part of these  
communities, please contact your agency's response team to report  
incidents. Your agency's team will coordinate with CIAC. The Forum of  
Incident Response and Security Teams (FIRST) is a world-wide  
organization. A list of FIRST member organizations and their  
constituencies can be obtained via WWW at http://www.first.org/.  
  
This document was prepared as an account of work sponsored by an  
agency of the United States Government. Neither the United States  
Government nor the University of California nor any of their  
employees, makes any warranty, express or implied, or assumes any  
legal liability or responsibility for the accuracy, completeness, or  
usefulness of any information, apparatus, product, or process  
disclosed, or represents that its use would not infringe privately  
owned rights. Reference herein to any specific commercial products,  
process, or service by trade name, trademark, manufacturer, or  
otherwise, does not necessarily constitute or imply its endorsement,  
recommendation or favoring by the United States Government or the  
University of California. The views and opinions of authors expressed  
herein do not necessarily state or reflect those of the United States  
Government or the University of California, and shall not be used for  
advertising or product endorsement purposes.  
  
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)  
  
J-032: Windows Backdoors Update II:  
J-033: SGI X server font path vulnerability  
J-034: Cisco 7xx TCP and HTTP Vulnerabilities  
J-035: Linux Blind TCP Spoofing  
J-036: LDAP Buffer overflow against Microsoft Directory Services  
J-037: W97M.Melissa Word Macro Virus  
J-038: HP-UX Vulnerabilities (hpterm, ftp)  
J-039: HP-UX Vulnerabilities (MC/ServiceGuard & MC/LockManager, DES  
J-040: HP-UX Security Vulnerability in sendmail  
J-041: Cisco IOS(R) Software Input Access List Leakage with NAT  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: 4.0 Business Edition  
  
iQCVAwUBN0CwKbnzJzdsy3QZAQHXtQP/XjIp+n8AXt3NeZM0TJ4eQ/aYzcow0v8e  
3yrlDn4QmBtamNdDF0ghXpUoUyq6y/ZeWD8Dle4lY8Do54BhtUI9lvfCh+3XzhVm  
wuQ9Tw7rS11yN/NoP+wi6YH3vsLqbWyeC3a/cR8IdAmU2NHNBvADh9mYvsaVKQi8  
OOvrn56na4Y=  
=1ind  
-----END PGP SIGNATURE-----  
  
`