[Chameleon] how to make a secure application on win32

Paul Spencer pspencer at dmsolutions.ca
Fri Mar 10 16:24:41 EST 2006


Not necessarily.  Apache can be configured well or poorly for  
security.  Chameleon could contain vulnerabilities also.  For  
instance, there is a type of attack called sql injection in which a  
specially crafted url can be formed that could cause the SQLQuery  
widget to perhaps reveal information that it shouldn't.

There are lots of this type of thing.  We've tried to be careful with  
Chameleon but ... no guarantees.

Cheers

Paul


On 10-Mar-06, at 3:56 PM, Sears, Jeremy wrote:

> Sweet, Thanks for the tip.
> So if one were to use ms4w to serve maps on www, the bigest concern  
> is with
> apache and security issues with apache, rather than with chameleon  
> and/or
> map server?
>
> Jeremy
>
> -----Original Message-----
> From: Paul Spencer [mailto:pspencer at dmsolutions.ca]
> Sent: March 10, 2006 3:49 PM
> To: Sears, Jeremy
> Cc: chameleon at lists.maptools.org
> Subject: Re: [Chameleon] how to make a secure application on win32
>
>
> Jeremy,
>
> the primary reason that ms4w includes that disclaimer is because
> earlier versions of apache included it.  Also, we are not warranting
> the software for production use.  That being said, the default
> configuration of ms4w is to prevent access to any directory except
> the 'htdocs' directory.  As far as I know, this is reasonably
> secure.  There may be additional things you can do in Apache to
> prevent certain hacks also ... I'm not an apache conf expert ;)
>
> You shouldn't need to move stuff around, though.
>
> Cheers
>
> Paul
>
> On 10-Mar-06, at 3:22 PM, Sears, Jeremy wrote:
>
>> Hi all,
>>
>> Im wondering if anyone can point me to documents etc that describe
>> how to
>> make a chameleon/mapserver application secure for use over the web.
>> We have
>> developed an application on ms4w and wish to make it available via
>> http.
>> Has anyone experience with this that could offer tips? On
>> maptools.org's
>> ms4w download page they indicate that ms4w shouldnt be used for
>> production
>> purposes. Does anyone know if ms4w can be made secure?
>>
>> I dont know much (anything really) about breaking into remote
>> servers. Is it
>> naive to assume that the following setup would be secure. By secure
>> I mean
>> an intruder would not be able to access mapserver's .map files to
>> obtain
>> database passwords etc, nor able to access httpd.conf files or do
>> anything
>> else besides look at the mapserver/chameleon output via valid http
>> requests.
>>
>>
>> A setup:
>>
>> A windows server on a LAN, running the ms4w/chameleon package. The
>> ms4w/cham
>> package installed in either a directory or a seperate partition of
>> a hard
>> disk. This partition/directory is open to WAN via a proxy server
>> that can
>> only access the the partition/ directory on wich ms4w is installed.
>> Only
>> http requests can be made through the proxy to the ms4w/chameleon
>> installation.
>>
>> As I mentioned, Im new to security issues. Any suggestions would be
>> great.
>> Perhaps there is a more appropriate place to ask such a question?
>>
>> Thanks
>> Jeremy
>> _______________________________________________
>> Chameleon mailing list
>> Chameleon at lists.maptools.org
>> http://lists.maptools.org/mailman/listinfo/chameleon
>
> +-----------------------------------------------------------------+
> |Paul Spencer                           pspencer at dmsolutions.ca   |
> +-----------------------------------------------------------------+
> |Applications & Software Development                              |
> |DM Solutions Group Inc                 http://www.dmsolutions.ca/|
> +-----------------------------------------------------------------+
>
>
>
> _______________________________________________
> Chameleon mailing list
> Chameleon at lists.maptools.org
> http://lists.maptools.org/mailman/listinfo/chameleon

+-----------------------------------------------------------------+
|Paul Spencer                           pspencer at dmsolutions.ca   |
+-----------------------------------------------------------------+
|Applications & Software Development                              |
|DM Solutions Group Inc                 http://www.dmsolutions.ca/|
+-----------------------------------------------------------------+






More information about the Chameleon mailing list