Sunday, January 6, 2019

Apache security - list all possible handlers / actions



To ensure there aren't security weaknesses that can be exploited via .htaccess, how can we see all possible handlers that Apache can use via directives like SetHanlder and AddHandler.




I know I can find some by looking at the output of mod_info or grepping through conf files (which was an approach I found when trying to find an answer to this question), but that doesn't mean there aren't handlers available that aren't listed that way. I imagine I could download and search through all the source code of Apache and every module that's loaded and see what they are registering, but is there a better way?



A quick fix would be to not allow AddHandler and SetHandler in .htaccess, but that has its drawbacks. For example, Drupal has a valid use-case for the SetHandler directive as it uses it as part of defense in depth for preventing PHP scripts from running if someone somehow manages to upload them to the site through a file uploader.



Here are some examples of what I'm referring to:



AddHandler server-parsed .shtml

SetHandler server-info


AddHandler application/x-httpd-php5 .php


Here's Drupal's use case from sites/default/files/.htaccess if anyone's interested:



# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006

# Override the handler again if we're run later in the evaluation list.

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003



EDIT July 30, 2015: This is not an exhaustive answer, but in case it's helpful to anyone, I found some handlers listed at the top of http://httpd.apache.org/docs/2.4/handler.html and also read that custom handlers can be created by the Action directive (see http://httpd.apache.org/docs/2.4/mod/mod_actions.html#action).



EDIT Sept 1, 2015: I wonder if there's some way to dump the memory of an httpd process and find the handlers names in there. I tried this using gcore, but didn't have success (though I've never used that before and got a warning when doing it, so I'm not sure if I'm doing something wrong).


Answer



Not possible, sorry.
As per my statement on The Apache Modules Guide:





Thus, the server itself does not presume to know which module is responsible for handling a specific request, and will ask each module whether they have an interest in a given request or not. It is then up to each module to either gently decline serving a request, accept serving it or flat out deny the request from being served, as authentication/authorization modules do




It is all handled at request-time, as per the design, so you cannot traverse modules or otherwise figure this out. You have to read the source code of each module to learn about their handler names.



Your best bet is to make a module yourself that checks the handler currently set for a request against a set of accepted handler names, and changes it to default if not present in the list.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...