MCI Telecommunications internetMCI Security Group Report Name: iMCI MIIGS Security Alert Report Number: iMCISE:IMCI:120596:01:P1R1 Report Date: 12/05/96 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net/web-security.html http://www.security.mci.net/check.html Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) ---------------------------------------------------------------------------- --- There is a significant dependance on the WEB for day-to-day and mission critical Internet activities; Indeed the WEB is the future of the Internet and if we're not careful, its next downfall. The WEB's greatest strength, its flexibility, is also its greatest flaw. CGI scripts that provide functionality for your users, can open the door to intruders. In addition, WEB Servers can be programmed to index valuable information on your machine, and sometimes can be accidentify configured to index too much information including confidential documents and or sensitive system files; http://www.altavista.digital.com/cgi-bin/query?pg=q&what=web&fmt=.&q=%2Fetc% 2Fpasswd The following attempts to highlight some of the issues you need to be concerned about regarding security of your WEB Server environment: Protective Measures For WEB Server Development - Limit server access to a specific area on the host. Some Web Servers, eg OMI, offer a chroot directive in in the configuration file. Others can be chrooted using the chroot utility, although this typically involves copying some system libraries and device files. - Set user ID and group ID to nobody to run HTTP server. Make sure that no files or directories other than WEB log data, are writable by user/group nobody. - Map document root to a specific directory, client can only access that area. - Disable directory index unless it is necessary. - Enforce to use secure protocal (shttp, https, PCT) to access sensitive documents and regions require password. - Set allowed hosts list, only those hosts can access private/sensitive documents. - Protect key database and server password (use to encript the server key), ie set file mode to 600. - Secure transfer all files may contain passwords (eg server core dump, configuration file, key file, etc). - Review server logs frequently for signs of misuse and attempted breakins. - Do not put script language interpreter in cgi bin. - Never pass user input directly to an interpreter (e.g, /bin/sh, /bin/perl, etc). Scrub all input data for malicious content such as shell meta-characters. User input should be considered to include all fields in an HTML form, including hidden fields that the users weren't supposed to modify. User input should also include environment variables set by the server such as the name of the remote host or remote user. For detail CGI script security, please visit following sites: http://hoohoo.ncsa.uiuc.edu/cgi/security.html http://www.cerf.net/~paulp/cgi-security http://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec - Disable other network based applications that aren't used by the server. - Ensure used network based applications are secured (e.g., smtp, ftp, etc) - If using a WEB based administrative tool, ensure you restrict access to only authorized systems (via IP address, rather than hostname). Always change default passwords. - Ensure you know what files are accessable via the WEB Server. (e.g., many sites unknowningly allow access to "/etc/passwd", allowing unauthorized users to identify guessable passwords). This document is updated at : http://www.security.mci.net/web-security.html Other documents to view are: http://www.security.mci.net/check.html Protection of TCP/IP Based Networks ===============================================================