[Chameleon] how to make a secure application on win32

Delfos, Jacob jacob.delfos at maunsell.com
Sun Mar 12 17:24:00 EST 2006


Jeremy,

There is one thing in the MS4W package that I think is a possible
security problem; Apache is configured by default to allow directory
listing. This means people can see what is available on your computer,
and can read files that they wouldn't normally know the existence of
(map files, etc). You can change that by looking for this line in
httpd.conf:

    Options Indexes FollowSymLinks

Remove the "FollowSymLinks".

Regards,

Jacob
 

> -----Original Message-----
> From: chameleon-bounces at lists.maptools.org 
> [mailto:chameleon-bounces at lists.maptools.org] On Behalf Of 
> Sears, Jeremy
> Sent: 11 March 2006 04:23
> To: chameleon at lists.maptools.org
> Subject: [Chameleon] how to make a secure application on win32
> 
> Hi all,
> 
> Im wondering if anyone can point me to documents etc that 
> describe how to
> make a chameleon/mapserver application secure for use over 
> the web. We have
> developed an application on ms4w and wish to make it 
> available via http. 
> Has anyone experience with this that could offer tips? On 
> maptools.org's
> ms4w download page they indicate that ms4w shouldnt be used 
> for production
> purposes. Does anyone know if ms4w can be made secure?
> 
> I dont know much (anything really) about breaking into remote 
> servers. Is it
> naive to assume that the following setup would be secure. By 
> secure I mean
> an intruder would not be able to access mapserver's .map 
> files to obtain
> database passwords etc, nor able to access httpd.conf files 
> or do anything
> else besides look at the mapserver/chameleon output via valid 
> http requests.
> 
> 
> A setup:
> 
> A windows server on a LAN, running the ms4w/chameleon 
> package. The ms4w/cham
> package installed in either a directory or a seperate 
> partition of a hard
> disk. This partition/directory is open to WAN via a proxy 
> server that can
> only access the the partition/ directory on wich ms4w is 
> installed. Only
> http requests can be made through the proxy to the ms4w/chameleon
> installation.
> 
> As I mentioned, Im new to security issues. Any suggestions 
> would be great.
> Perhaps there is a more appropriate place to ask such a question?
> 
> Thanks
> Jeremy
> _______________________________________________
> Chameleon mailing list
> Chameleon at lists.maptools.org
> http://lists.maptools.org/mailman/listinfo/chameleon
> 



More information about the Chameleon mailing list