Web Security
Privacy and Legal Notice
INFORMATION BULLETIN
J-042: Web Security
May 18, 1999 17:00 GMT
PROBLEM: Public web servers continue to be attractive targets for
hackers seeking to embarrass organizations or promote a
political agenda. Good security practices can protect your site
from the risks such compromises create.
PLATFORM: Any Unix platform or NT system being used as a web server.
DAMAGE: Damage can be anything from a denial-of-service attack, the
placement of pornographic material, the posting of political
messages, or the deletion of files or the placement of
malicious software.
SOLUTION: Follow known best practices and apply software patches as soon
as they are announced by your incident response team or your
vendor.
VULNERABILITY Public web sites are hacked on an almost daily basis; the
ASSESSMENT: threat that your site could be compromised is real.
BEST PRACTICES IN MANAGING WORLD WIDE WEB SERVER SECURITY:
1. Place your web server(s) in a DMZ. Set your firewall to drop connections
to your web server on all ports but http (port 80) or https (port 443).
2. Remove all unneeded services from your web server, keeping FTP (but only
if you need it) and a secure login capability such as secure shell. An
unneeded service can become an avenue of attack.
3. Disallow all remote administration unless it is done using a one-time
password or an encrypted link.
4. Limit the number of persons having administrator or root level access.
5. Log all user activity and maintain those logs either in an encrypted form
on the web server or store them on a separate machine on your Intranet.
6. Monitor system logs regularly for any suspicious activity. Install some
trap macros to watch for attacks on the server (such as the PHF attack).
Create macros that run every hour or so that would check the integrity of
passwd and other critical files. When the macros detect a change, they
should send an e-mail to the system manager.
7. Remove ALL unnecessary files such as phf from the scripts directory
/cgi-bin.
8. Remove the "default" document trees that are shipped with Web
servers such as IIS and ExAir.
9. Apply all relevant security patches as soon as they are announced.
10. If you must use a GUI interface at the console, remove the commands that
automatically start the window manager from the .RC startup directories
and then create a startup command for the window manager. You can then
use the window manager when you need to work on the system, but shut it
down when you are done. Do not leave the window manager running for any
extended length of time.
11. If the machine must be administered remotely, require that a secure
capability such as secure shell is used to make a secure connection.
Do not allow telnet or non-anonymous ftp (those requiring a username and
password) connections to this machine from any untrusted site. It would
also be good to limit these connections only to a minimum number of
secure machines and have those machines reside within your Intranet.
12. Run the web server in a chroot-ed part of the directory tree so it cannot
access the real system files.
13. Run the anonymous FTP server (if you need it) in a chroot-ed part of the
directory tree that is different from the web server's tree.
14. Do all updates from your Intranet. Maintain your web page originals on a
server on your Intranet and make all changes and updates here; then
"push" these updates to the public server through an SSL connection.
If you do this on a hourly basis, you can avoid having a corrupted server
exposed for a long period of time.
15. Scan your web server periodically with tools like ISS or nmap to look for
vulnerabilities.
16. Have intrusion detection software monitor the connections to the server.
Set the detector to alarm on known exploits and suspicious activities and
to capture these sessions for review. This information can help you
recover from an intrusion and strengthen your defenses.
BULLETINS PUBLISHED RELATING TO WEB SERVERS:
==========
UNIX Systems
CIAC Bulletins:
F-11: Unix NCSA httpd Vulnerability
http://www.ciac.org/ciac/bulletins/f-11.shtml
H-01: Vulnerabilities in bash
http://www.ciac.org/ciac/bulletins/h-01.shtml
I-024: CGI Security Hole in EWS1.1 Vulnerability
http://www.ciac.org/ciac/bulletins/i-024.shtml
I-082: HP-UX Netscape Servers Vulnerability
http://www.ciac.org/ciac/bulletins/i-082.shtml
I-040: SGI Netscape Navigator Vulnerabilities
http://www.ciac.org/ciac/bulletins/i-040.shtml
Other Bulletins:
Domino 4.6 may allow unauthorized writes to remote server drives and
server configuration files.
http://www.l0pht.com/advisories/domino2.txt
Excite 1.1 may set encrypted password files world writable.
BUGTRAQ Mail Archives: "Security bugs in Excite for Web Servers 1.1"
at http://www.netspace.org/cgi-bin/wa?A2=ind9811e&L=bugtraq&F=&S=&P=519
ColdFusion Application Server and unauthorized access to web server data.
http://www.excite.com/computers_and_internet/tech_news/zdnet/
?article=/news/19990429/1014542.inp
==========
Windows Systems
CIAC Bulletins:
I-024: CGI Security Hole in EWS1.1 Vulnerability
http://www.ciac.org/ciac/bulletins/i-024.shtml
I-025A: Windows NT based Web Servers File Access Vulnerability
http://www.ciac.org/ciac/bulletins/i-025a.shtml
Microsoft bulletins can be found under the Microsoft Security
Advisor web page at
http://www.microsoft.com/security/default.asp
The following bulletins appeared in "Current Security Bulletins"
and "Security Bulletin Archives":
MS99-013: Solution Available for File Viewers Vulnerability. (May 7, 1999)
MS99-012: MSHTML Update Available for Internet Explorer. (April 21, 1999)
MS99-011: Patch Available for "DHTML Edit" Vulnerability. (April 21, 1999)
MS98-019: Patch Available for IIS "GET" Vulnerability. (December 21, 1998)
MS98-016: Update available for "Dotless IP Address" Issue in Microsoft
Internet Explorer 4. (October 23, 1998)
MS98-011: Update Available for "Window.External" JScript Vulnerability
in Microsoft Internet Explorer 4.0. (August 17, 1998)
MS98-004: Unauthorized ODBC Data Access with Remote Data Services and
Inernet Information Systems. (July 15, 1998)
Other Bulletins:
"ISAPI Extension vulnerability allows to execute code as SYSTEM" at:
http://www.ntbugtraq.com/page_archives_wa.asp?A2=ind9903&L=
ntbugtraq&F=P&S=&P=2439
Internet Explorer 5.0 cached passwords can be reused by another user.
http://www.zdnet.com/zdnn/stories/news/0,4586,1014586,00.html
http://www.zdnet.com/anchordesk/story/story_3351.html
Internet Explorer (3.01, 3.02, 4.0, 4.01) may allow frame spoofing to
trick the user
Microsoft Knowledgebase Article ID: Q167614: "Update Available For
"Frame Spoof" Security Issue"
http://support.microsoft.com/support/kb/articles/q167/6/14.asp
==========
Systems running NCSA HTTPD and Apache HTTPD
CIAC Bulletins:
G-17: Vulnerabilities in Sample HTTPD CGIs
http://ciac.llnl.gov/ciac/bulletins/g-17.shtml
G-20: Vulnerability in NCSA and Apache httpd Servers
http://www.ciac.org/ciac/bulletins/g-20.shtml
Other Bulletins:
Apache denial-of-service attack -- Apache httpd (1.2.x, 1.3b3)
http://www.netspace.org/cgi-bin/wa?A1=ind9712e&L=bugtraq#2
http://www.apache.org/dist/patches/apply_to_1.2.4/
no2slash-loop-fix.patch
http://www.apache.org/dist/patches/apply_to_1.3b3/
no2slash-loop-fix.patch
"HTTP REQUEST_METHOD flaw"
http://www.netspace.org/cgi-bin/wa?A2=ind9901a&L=bugtraq&F=
&S=&P=8530
==========
Systems running Netscape Navigator
CIAC Bulletins:
H-76: Netscape Navigator Security Vulnerability
http://www.ciac.org/ciac/bulletins/h-76.shtml
I-082: HP-UX Netscape Servers Vulnerability
http://www.ciac.org/ciac/bulletins/i-082.shtml
I-040: SGI Netscape Navigator Vulnerabilities
http://www.ciac.org/ciac/bulletins/i-040.shtml
Other Bulletins:
"Reading local files with Netscape Communicator 4.5" at
http://www.geocities.com/ResearchTriangle/1711/b6.html
Netscape Navigator may allow frame spoofing to trick the user
Netscape Security Update: "The Frame-Spoofing Vulnerability"
http://home.netscape.com/products/security/resources/bugs/
framespoofing.html
==========
System running cgi-bin routines
CIAC Bulletins:
I-013: Count.cgi Buffer Overrun Vulnerability
http://www.ciac.org/ciac/bulletins/i-013.shtml
I-014: Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages
http://www.ciac.org/ciac/bulletins/i-014.shtml
Other Bulletins:
IRIX webdist.cgi, handler and wrap programs
ftp://sgigate.sgi.com/security/19970501-02-PX
ftp://info.cert.org/pub/cert_advisories/CA-97.12.webdist
"Nlog 1.1b released - security holes fixed"
http://www.netspace.org/cgi-bin/wa?A2=ind9812d&L=bugtraq&F=&S=
&P=10302
http://owned.comotion.org/~spinux/index.html
==========
CIAC also published a document called Securing Internet Information
Servers which has a chapter on Securing World Wide Web Servers
http://www.ciac.org/ciac/documents/ciac2308.html
There are other resources that CIAC recommends for additional guidance.
The first is a publication that was developed by SANS and The Intranet
Institute after the web server at the U.S. Department of Justice was
hacked--"Twelve Mistakes To Avoid In Managing Security-For the Web."
The document can be found at:
http://www.computerworld.com/home/online9697.nsf/all/971001secure.
SANS also publishes a document called "14 Steps to Avoiding Disaster
with Your Web Site."
Another web site that you should book mark is http://www.w3.org/Security/faq/.
This is a web security FAQ (Frequently Asked Questions) that is maintained
by The World Wide Web Consortium http://www.w3.org/. They have security
sections for each of the major operating systems used today for web servers:
http://www.w3.org/Security/faq/wwwsf8.html.
IF YOUR WEB SITE HAS BEEN HACKED:
CIAC recommends the following as you check your web servers:
1. Apply ALL security-related patches for the web server software as well
as for the underlying Operating System.
2. Remove ALL unnecessary files such as phf from the scripts directory
/cgi-bin. Remove the "default" document trees that are shipped with Web
servers such as IIS and ExAir.
3. Validate ALL user accounts on the web server and ensure that they have
strong passwords.
4. Validate ALL services and open ports on the web server to ensure there
are no Trojanned services.
5. Look for suspicious files in the /dev, /etc, and /tmp directories.
______________________________________________________________________________
DOE-CIRC can be contacted at:
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/