[ZendTo] Re: Security

Jules Jules at Zend.To
Sat Dec 10 14:57:34 GMT 2011 

Thanks for those, I'll add them to the VM distributions. I'm also going 
to put the WebDAV lines in the httpd.conf, commented out, so that you 
just need to uncomment them and run htpasswd to add the username and 
password for it.

There's one minor UI change to go in this weekend before I do a release, 
as in the New Drop-off form currently there isn't room between the 
browse button and the library drop-down to fit in the file size, so it 
splits it over 2 lines which looks messy. So the drop-down and the 
description need moving to the right about an inch.

Once that's done, I see no reason not to do a stable release of it, as 
it otherwise appears to all work okay.

Cheers,
Jules.

On 09/12/2011 17:47, Brad Beckenhauer wrote:
> Since we're on the subject of security.
> Consider changing the below Apache configurations:
> ServerSignature On   to   ServerSignature Off
> ServerTokens OS   to   ServerTokens Prod   ( or just remark it out to 
> disable it).
> ( Blatant web scape below).
> The first line "ServerSignature Off" instructs Apache not to display a 
> trailing footer line under server-generated documents 
> <http://www.mydigitallife.info/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/#> 
> (error messages, mod_proxy ftp directory listings, mod_info output, 
> and etc) which displays server version number, ServerName of the 
> serving virtual host 
> <http://www.mydigitallife.info/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/#>, 
> email setting, and creates a "mailto:" reference to the ServerAdmin of 
> the referenced document.
>
> The second line "ServerTokens Prod" configures Apache to return only 
> Apache as product in the server response header on very page request, 
> suppressing OS, major and minor version info.
>
>
> >>> On 12/9/2011 at 5:00 AM, Jules <Jules at zend.to> wrote:
>
>
> On 09/12/2011 10:42, Joao Alexandre wrote:
> > Hi Jules,
> >
> > All of our internet facing structure was evaluated/scanned for
> > security problems and regarding ZendTo they found two issues. They
> > don't seem to be related itself with ZendTo but maybe you can help us
> > resolve or lead us to the solution:
> >
> > 1.
> > Vulnerability details -
> > Script ID    201167
> > Name    Directory Browsing
> > Port    443/TCP - http
> > Risk factor    Medium risk
> > CVSS Score    5.0 - (AV:N/AC:L/Au:N/C:P/I:N/A:N)
> > (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)
> > Family    http
> > Product    HTTP
> > Description    This service lists the contents of various directories.
> > Information    Browsable directories:
> > Location
> > /js/
> > /images/
> > /icons/
> > /css/
> > Solution    Disable directory browsing
> > History    First seen : 2011-12-09 08:02 - New finding
> This one you can fix in your Apache configuration. Look for a line
> saying something like
>      Options All Indexes FollowSymLinks MultiViews
> and remove the word "Indexes" from it. (Basically just search all the
> Apache configuration files you can find for the word "Indexes" and
> remove it!)
> Then restart Apache.
> I have just applied this fix to the VMs I distribute.
> >
> > 2.
> > Script ID    236788
> > Name    SSL/TLS Cipher Suite Detect MD5
> > Port    443/TCP - http
> > Risk factor    Medium risk
> > CVSS Score    5.0 - (AV:N/AC:L/Au:N/C:N/I:P/A:N)
> > (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)
> > Family    ssl
> > Product    SSL
> > Description    The MD5 Message-Digest Algorithm is not collision
> > resistant, which makes it easier for context-
> > dependent attackers to conduct spoofing attacks, as demonstrated by
> > attacks on the use of MD5 in the
> > signature algorithm of an X.509 certificate.
> > Information     SSLv3 Cipher Suite  OpenSSL Cipher
> > Name
> > Algorithm Bits Bits Used Cipher Strength
> > RSA_WITH_RC4_1
> > 28_MD5
> > RC4-MD5 128 128 medium
> > TLSv1 Cipher Suite  OpenSSL Cipher
> > Name
> > Algorithm Bits Bits Used Cipher Strength
> > RSA_WITH_RC4_1
> > 28_MD5
> > RC4-MD5 128 128 medium
> > Solution    Reconfigure the service to disallow the listed cipher suites
> > Reference    url - http://www.kb.cert.org/vuls/id/836068CVE    
> CVE-2004-2761
> > History    First seen : 2011-12-09 08:02 - New finding
> This is related to your https SSL certificate, and the encryption method
> it uses. Most certificate providers are switching away from MD5 to SHA-1
> so hopefully the next time you renew your certificate this problem
> should disappear.
>
> Jules
>
> -- 
> Julian Field MEng CITP CEng
> www.Zend.To
>
> Follow me at twitter.com/JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> 'It's okay to live without all the answers' - Charlie Eppes, 2011
> 'All programs have a desire to be useful' - Tron, 1982
> 'That is the land of lost content,
>   I see it shining plain,
>   The happy highways where I went,
>   And cannot come again.' - A.E. Houseman
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'Teach a man to reason, and he will think for a lifetime.' - Phil Plait
'All programs have a desire to be useful' - Tron, 1982

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20111210/e62f99b4/attachment.html

More information about the ZendTo mailing list