diff options
Diffstat (limited to 'docs')
-rw-r--r-- | docs/xml/Bugzilla-Guide.xml | 7 | ||||
-rw-r--r-- | docs/xml/glossary.xml | 35 | ||||
-rw-r--r-- | docs/xml/installation.xml | 284 | ||||
-rw-r--r-- | docs/xml/security.xml | 411 |
4 files changed, 464 insertions, 273 deletions
diff --git a/docs/xml/Bugzilla-Guide.xml b/docs/xml/Bugzilla-Guide.xml index 142b03d37..d12f6a817 100644 --- a/docs/xml/Bugzilla-Guide.xml +++ b/docs/xml/Bugzilla-Guide.xml @@ -9,6 +9,7 @@ <!ENTITY glossary SYSTEM "glossary.xml"> <!ENTITY installation SYSTEM "installation.xml"> <!ENTITY administration SYSTEM "administration.xml"> +<!ENTITY security SYSTEM "security.xml"> <!ENTITY using SYSTEM "using.xml"> <!ENTITY integration SYSTEM "integration.xml"> <!ENTITY index SYSTEM "index.xml"> @@ -34,6 +35,7 @@ <!ENTITY bz-nextver "2.20"> <!ENTITY bz-date "2004-10-24"> <!ENTITY % bz-devel "INCLUDE"> +<!ENTITY current-year "2004"> <!ENTITY landfillbase "http://landfill.bugzilla.org/bugzilla-tip/"> <!ENTITY bz "http://www.bugzilla.org/"> @@ -142,6 +144,9 @@ <!-- Administering Bugzilla --> &administration; +<!-- Securing Bugzilla --> +&security; + <!-- Customizing Bugzilla --> &customization; @@ -188,4 +193,4 @@ sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter") sgml-shorttag:t sgml-tag-region-if-active:t End: ---> +-->
\ No newline at end of file diff --git a/docs/xml/glossary.xml b/docs/xml/glossary.xml index 3893094c0..08ad45524 100644 --- a/docs/xml/glossary.xml +++ b/docs/xml/glossary.xml @@ -3,7 +3,7 @@ <glossdiv> <title>0-9, high ascii</title> - <glossentry> + <glossentry id="gloss-htaccess"> <glossterm>.htaccess</glossterm> <glossdef> @@ -195,7 +195,7 @@ <glossdiv id="gloss-d"> <title>D</title> - <glossentry> + <glossentry id="gloss-daemon"> <glossterm>daemon</glossterm> <glossdef> @@ -208,6 +208,23 @@ a web server, are generally run as daemons.</para> </glossdef> </glossentry> + + <glossentry id="gloss-dos"> + <glossterm>DOS Attack</glossterm> + + <glossdef> + <para>A DOS, or Denial of Service attack, is when a user attempts to + deny access to a web server by repeatadly accessing a page or sending + malformed requests to a webserver. This can be effectively prevented + by using <filename>mod_throttle</filename> as described in + <xref linkend="security-webserver-mod-throttle"/>. A D-DOS, or + Distributed Denial of Service attack, is when these requests come + from multiple sources at the same time. Unfortunately, these are much + more difficult to defend against. + </para> + </glossdef> + </glossentry> + </glossdiv> <glossdiv id="gloss-g"> @@ -393,6 +410,19 @@ <glossdiv id="gloss-s"> <title>S</title> + <glossentry id="gloss-service"> + <glossterm>Service</glossterm> + + <glossdef> + <para>In Windows NT environment, a boot-time background application + is refered to as a service. These are generally managed through the + control pannel while logged in as an account with + <quote>Administrator</quote> level capabilities. For more + information, consult your Windows manual or the MSKB. + </para> + </glossdef> + </glossentry> + <glossentry> <glossterm> <acronym>SGML</acronym> @@ -520,4 +550,3 @@ sgml-shorttag:t sgml-tag-region-if-active:t End: --> - diff --git a/docs/xml/installation.xml b/docs/xml/installation.xml index 9c60535a1..0f06b4735 100644 --- a/docs/xml/installation.xml +++ b/docs/xml/installation.xml @@ -1,5 +1,5 @@ <!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> --> -<!-- $Id: installation.xml,v 1.81 2004/11/25 08:50:59 jocuri%softhome.net Exp $ --> +<!-- $Id: installation.xml,v 1.82 2004/12/02 04:21:27 jake%bugzilla.org Exp $ --> <chapter id="installing-bugzilla"> <title>Installing Bugzilla</title> @@ -520,7 +520,8 @@ <para>Poorly-configured MySQL and Bugzilla installations have given attackers full access to systems in the past. Please take the security parts of these guidelines seriously, even for Bugzilla - machines hidden away behind your firewall.</para> + machines hidden away behind your firewall. Be certain to read + <xref linkend="security"/> for some important security tips.</para> </warning> <section id="localconfig"> @@ -560,70 +561,13 @@ <section id="mysql"> <title>MySQL</title> - <section id="security-mysql"> - <title>Security</title> - - <para>MySQL ships as insecure by default. - It allows anybody to on the local machine full administrative - capabilities without requiring a password; the special - MySQL root account (note: this is <emphasis>not</emphasis> the same as - the system root) also has no password. - Also, many installations default to running - <application>mysqld</application> as the system root. + <caution> + <para>MySQL's default configuration is very insecure. + <xref linkend="security-mysql"/> has some good information for + improving your installation's security. </para> - - <orderedlist> - <listitem> - <para>To disable the anonymous user account - and set a password for the root user, execute the following. The - root user password should be different to the bugs user password - you set in - <filename>localconfig</filename> in the previous section, - and also different to - the password for the system root account on your machine. - </para> - <screen> <prompt>bash$</prompt> mysql mysql - <prompt>mysql></prompt> DELETE FROM user WHERE user = ''; - <prompt>mysql></prompt> UPDATE user SET password = password('<replaceable>new_password</replaceable>') WHERE user = 'root'; - <prompt>mysql></prompt> FLUSH PRIVILEGES;</screen> - - <para>From this point forward, to run the - <filename>mysql</filename> command-line client, - you will need to type - <command>mysql -u root -p</command> and enter - <replaceable>new_password</replaceable> when prompted. - </para> - </listitem> - - <listitem> - <para>If you run MySQL on the same machine as your web server, you - should disable remote access to MySQL by adding - the following to your <filename>/etc/my.cnf</filename>: - </para> - <programlisting> [myslqd] - # Prevent network access to MySQL. - skip-networking</programlisting> - </listitem> - - <listitem> - <para>Consult the documentation that came with your system for - information on making <application>mysqld</application> run as an - unprivileged user. - </para> - </listitem> - - <listitem> - <para>For added security, you could also run MySQL, or even all - of Bugzilla - in a chroot jail; however, instructions for doing that are beyond - the scope of this document. - </para> - </listitem> - - </orderedlist> - - </section> - + </caution> + <section id="install-setupdatabase"> <title>Allow large attachments</title> @@ -765,7 +709,10 @@ <section id="http"> <title>Web server</title> <para>Configure your web server according to the instructions in the - appropriate section. The Bugzilla Team recommends Apache. + appropriate section. The Bugzilla Team recommends Apache. No matter + what webserver you choose, make sure that sensitive information is + not remotely available by ensuring that the access controls in + <xref linkend="security-webserver-access"/> are properly applied. </para> <section id="http-apache"> @@ -825,7 +772,7 @@ <para>Also, and this can't be stressed enough, make sure that files such as <filename>localconfig</filename> and your <filename class="directory">data</filename> - directory are secured as described in <xref linkend="security-access"/>. + directory are secured as described in <xref linkend="security-webserver-access"/>. </para> </section> @@ -893,137 +840,6 @@ </note> </section> - <section id="security-access"> - <title>Web Server Access Controls</title> - - <para>Users of Apache can skip this section because - Bugzilla ships with <filename>.htaccess</filename> files which - restrict access in the manner required. - Users of other webservers, read on. - </para> - - <para>There are several files in the Bugzilla directory - that should not be accessible from the web. You need to configure - your webserver so they they aren't. Not doing this may reveal - sensitive information such as database passwords. - </para> - - <itemizedlist spacing="compact"> - <listitem> - <para>In the main Bugzilla directory, you should:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>Block: - <simplelist type="inline"> - <member><filename>*.pl</filename></member> - <member><filename>*localconfig*</filename></member> - <member><filename>runtests.sh</filename></member> - </simplelist> - </para> - </listitem> - <listitem> - <para>But allow: - <simplelist type="inline"> - <member><filename>localconfig.js</filename></member> - <member><filename>localconfig.rdf</filename></member> - </simplelist> - </para> - </listitem> - </itemizedlist> - </listitem> - - <listitem> - <para>In <filename class="directory">data</filename>:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>Block everything</para> - </listitem> - <listitem> - <para>But allow: - <simplelist type="inline"> - <member><filename>duplicates.rdf</filename></member> - </simplelist> - </para> - </listitem> - </itemizedlist> - </listitem> - - <listitem> - <para>In <filename class="directory">data/webdot</filename>:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>If you use a remote webdot server:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>Block everything</para> - </listitem> - <listitem> - <para>But allow - <simplelist type="inline"> - <member><filename>*.dot</filename></member> - </simplelist> - only for the remote webdot server</para> - </listitem> - </itemizedlist> - </listitem> - <listitem> - <para>Otherwise, if you use a local GraphViz:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>Block everything</para> - </listitem> - <listitem> - <para>But allow: - <simplelist type="inline"> - <member><filename>*.png</filename></member> - <member><filename>*.gif</filename></member> - <member><filename>*.jpg</filename></member> - <member><filename>*.map</filename></member> - </simplelist> - </para> - </listitem> - </itemizedlist> - </listitem> - <listitem> - <para>And if you don't use any dot:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>Block everything</para> - </listitem> - </itemizedlist> - </listitem> - </itemizedlist> - </listitem> - - <listitem> - <para>In <filename class="directory">Bugzilla</filename>:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>Block everything</para> - </listitem> - </itemizedlist> - </listitem> - - <listitem> - <para>In <filename class="directory">template</filename>:</para> - <itemizedlist spacing="compact"> - <listitem> - <para>Block everything</para> - </listitem> - </itemizedlist> - </listitem> - </itemizedlist> - - <para>You should test to make sure that the files mentioned above are - not accessible from the Internet, especially your - <filename>localconfig</filename> file which contains your database - password. To test, simply point your web browser at the file; for - example, to test mozilla.org's installation, we'd try to access - <ulink url="http://bugzilla.mozilla.org/localconfig"/>. You should - get a <errorcode>403</errorcode> <errorname>Forbidden</errorname> - error. - </para> - </section> </section> @@ -1310,75 +1126,6 @@ </section> - <section id="content-type"> - - <title>Prevent users injecting malicious - Javascript</title> - - <para>It is possible for a Bugzilla user to take advantage of character - set encoding ambiguities to inject HTML into Bugzilla comments. This - could include malicious scripts. - Due to internationalization concerns, we are unable to - incorporate by default the code changes suggested by - <ulink - url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3"> - the CERT advisory</ulink> on this issue. - If your installation is for an English speaking audience only, making the - change below will prevent this problem. - </para> - - <para>Simply locate the following line in - <filename>Bugzilla/CGI.pm</filename>: - <programlisting>$self->charset('');</programlisting> - and change it to: - <programlisting>$self->charset('ISO-8859-1');</programlisting> - </para> - </section> - - <section id="mod-throttle" - xreflabel="Using mod_throttle to prevent Denial of Service attacks"> - <title> - <filename>mod_throttle</filename></title> - - <para>It is possible for a user, by mistake or on purpose, to access - the database many times in a row which can result in very slow access - speeds for other users. If your Bugzilla installation is experiencing - this problem, you may install the Apache module - <filename>mod_throttle</filename> - which can limit connections by IP address. You may download this module - at - <ulink url="http://www.snert.com/Software/mod_throttle/"/>. - Follow the instructions to install into your Apache install. - <emphasis>This module only functions with the Apache web - server!</emphasis> - The command you need is - <command>ThrottleClientIP</command>. See the - <ulink url="http://www.snert.com/Software/mod_throttle/">documentation</ulink> - for more information.</para> - </section> - - <section id="security-networking"> - <title>TCP/IP Ports</title> - - <para>A single-box Bugzilla only requires port 80, plus port 25 if - you are using the optional email interface. You should firewall all - other ports and/or disable services listening on them. - </para> - </section> - - <section id="security-daemon"> - <title>Daemon Accounts</title> - - <para>Many daemons, such as Apache's httpd and MySQL's mysqld default to - running as either <quote>root</quote> or <quote>nobody</quote>. Running - as <quote>root</quote> introduces obvious security problems, but the - problems introduced by running everything as <quote>nobody</quote> may - not be so obvious. Basically, if you're running every daemon as - <quote>nobody</quote> and one of them gets compromised, they all get - compromised. For this reason it is recommended that you create a user - account for each daemon. - </para> - </section> <section id="apache-addtype"> <title>Serving Alternate Formats with the right MIME type</title> @@ -1532,7 +1279,7 @@ $smtp->quit; <para>As is the case on Unix based systems, any web server should be able to handle Bugzilla; however, the Bugzilla Team still recommends Apache whenever asked. No matter what web server you choose, be sure - to pay attention to the security notes in <xref linkend="security-access"/>. + to pay attention to the security notes in <xref linkend="security-webserver-access"/>. More information on configuring specific web servers can be found in <xref linkend="http"/>. </para> @@ -2205,4 +1952,3 @@ sgml-shorttag:t sgml-tag-region-if-active:t End: --> - diff --git a/docs/xml/security.xml b/docs/xml/security.xml new file mode 100644 index 000000000..de859e6b5 --- /dev/null +++ b/docs/xml/security.xml @@ -0,0 +1,411 @@ +<!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> --> +<!-- $Id: security.xml,v 1.1 2004/12/02 04:21:27 jake%bugzilla.org Exp $ --> + +<chapter id="security"> +<title>Bugzilla Security</title> + + <para>While some of the items in this chapter are related to the operating + system Bugzilla is running on or some of the support software required to + run Bugzilla, it is all related to protecting your data. This is not + intended to be a comprehensive guide to securing Linux, Apache, MySQL, or + any other piece of software mentioned. There is no substitute for active + administration and monitoring of a machine. The key to good security is + actually right in the middle of the word: <emphasis>U R It</emphasis>. + </para> + + <para>While programmers in general always strive to write secure code, + accidents can and do happen. The best approach to security is to always + assume that the program you are working with isn't 100% secure and restrict + its access to other parts of your machine as much as possible. + </para> + + <section id="security-os"> + <title>Operating System</title> + + <section id="security-os-ports"> + <title>TCP/IP Ports</title> + + <!-- TODO: Get exact number of ports --> + <para>The TCP/IP standard defines more than 65,000 ports for sending + and receiving traffic. Of those, Bugzilla needs exactly one to operate + (different configurations and options may require up to 3). You should + audit your server and make sure that you aren't listening on any ports + you don't need to be. It's also highly recommended that the server + Bugzilla resides on, along with any other machines you administer, be + placed behind some kinda of firewall. + </para> + + </section> + + <section id="security-os-accounts"> + <title>System User Accounts</title> + + <para>Many <glossterm linkend="gloss-daemon">daemon</glossterm>, such + as Apache's <filename>httpd</filename> or MySQL's + <filename>mysqld</filename>, run as either <quote>root</quote> or + <quote>nobody</quote>. This is even worse on Windows machines where the + majority of <glossterm linkend="gloss-service">services</glossterm> + run as <quote>SYSTEM</quote>. While running as <quote>root</quote> or + <quote>SYSTEM</quote> introduces obvious security concerns, the + problems introduced by running everything as <quote>nobody</quote> may + not be so obvious. Basically, if you run every daemon as + <quote>nobody</quote> and one of them gets comprimised it can + comprimise every other daemon running as <quote>nobody</quote> on your + machine. For this reason it is recommended that you create a user + account for each daemon. + </para> + + <note> + <para>You will need to set the <option>webservergroup</option> option + in <filename>localconfig</filename> to the group your webserver runs + as. This will allow <filename>./checksetup.pl</filename> to set file + permissions on Unix systems so that nothing is world-writable. + </para> + </note> + + </section> + + <section id="security-os-chroot"> + <title>The <filename>chroot</filename> Jail</title> + + <para>If your system supports it, you may wish to consider running + Bugzilla inside of a <filename>chroot</filename> jail. This option + provides unpresidented security by restricting anything running + inside the jail from accessing any information outside of it. If you + wish to use this option, please consult the documentation that came + with your system. + </para> + + </section> + + </section> + + + + <section id="security-mysql"> + <title>MySQL</title> + + <section id="security-mysql-account"> + <title>The MySQL System Account</title> + + <para>As mentioned in <xref linkend="security-os-accounts"/>, the MySQL + daemon should run as a non-privleged, unique user. Be sure to consult + the MySQL documentation or the documentation that came with your system + for instructions. + </para> + </section> + + <section id="security-mysql-root"> + <title>The MySQL <quote>root</quote> and <quote>anonymous</quote> Users</title> + + <para>By default, MySQL comes with a <quote>root</quote> user with a + blank password and an <quote>anonymous</quote> user, also with a blank + password. In order to protect your data, the <quote>root</quote> user + should be given a password and the anonymous user should be disabled. + </para> + + <example id="security-mysql-account-root"> + <title>Assigning the MySQL <quote>root</quote> User a Password</title> + + <screen> +<prompt>bash$</prompt> mysql mysql +<prompt>mysql></prompt> UPDATE user SET password = password('<replaceable>new_password</replaceable>') WHERE user = 'root'; +<prompt>mysql></prompt> FLUSH PRIVILEGES; + </screen> + </example> + + <example id="security-mysql-account-anonymous"> + <title>Disabling the MySQL <quote>anonymous</quote> User</title> + <screen> +<prompt>bash$</prompt> mysql -u root -p mysql <co id="security-mysql-account-anonymous-mysql"/> +<prompt>Enter Password:</prompt> <replaceable>new_password</replaceable> +<prompt>mysql></prompt> DELETE FROM user WHERE user = ''; +<prompt>mysql></prompt> FLUSH PRIVILEGES; + </screen> + <calloutlist> + <callout arearefs="security-mysql-account-anonymous-mysql"> + <para>This command assumes that you have already completed + <xref linkend="security-mysql-account-root"/>. + </para> + </callout> + </calloutlist> + </example> + + </section> + + <section id="security-mysql-network"> + <title>Network Access</title> + + <para>If MySQL and your webserver both run on the same machine and you + have no other reason to access MySQL remotely, then you should disable + the network access. This, along with the suggestion in + <xref linkend="security-os-ports"/>, will help protect your system from + any remote vulnerabilites in MySQL. This is done using different + methods in MySQL versions 3 and 4. + </para> + + <example> + <title>Disabling Networking in MySQL 3.x</title> + + <para>Simply enter the following in <filename>/etc/my.conf</filename>: + <screen> +[myslqd] +# Prevent network access to MySQL. +skip-networking + </screen> + </para> + </example> + + <example> + <title>Disabling Networking in MySQL 4.x</title> + + <para>There's a bug in Bugzilla about this</para> + </example> + + </section> + + +<!-- For possible addition in the future: How to better control the bugs user + <section id="security-mysql-bugs"> + <title>The bugs User</title> + + </section> +--> + + </section> + + + + <section id="security-webserver"> + <title>Webserver</title> + + <section id="security-webserver-access"> + <title>Disabling Remote Access to Bugzilla Configuration Files</title> + + <para>There are many files that are placed in the Bugzilla directory + area that should not be accessable from the web. Because of the way + Bugzilla is currently layed out, the list of what should and should not + be accessible is rather complicated. A new installation method is + currently in the works which should solve this by allowing files that + shouldn't be accessible from the web to be placed in directory outside + the webroot. See + <ulink url="http://bugzilla.mozilla.org/show_bug.cgi?id=44659">bug 44659</ulink> + for more information. + </para> + + <tip> + <para>Bugzilla ships with the ability to create + <glossterm linkend="gloss-htaccess"><filename>.htaccess</filename></glossterm> + files that enforce these rules. Instructions for enabling these + directives in Apache can be found in <xref linkend="http-apache"/> + </para> + </tip> + + <itemizedlist spacing="compact"> + <listitem> + <para>In the main Bugzilla directory, you should:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>Block: + <simplelist type="inline"> + <member><filename>*.pl</filename></member> + <member><filename>*localconfig*</filename></member> + <member><filename>runtests.sh</filename></member> + </simplelist> + </para> + </listitem> + <listitem> + <para>But allow: + <simplelist type="inline"> + <member><filename>localconfig.js</filename></member> + <member><filename>localconfig.rdf</filename></member> + </simplelist> + </para> + </listitem> + </itemizedlist> + </listitem> + + <listitem> + <para>In <filename class="directory">data</filename>:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>Block everything</para> + </listitem> + <listitem> + <para>But allow: + <simplelist type="inline"> + <member><filename>duplicates.rdf</filename></member> + </simplelist> + </para> + </listitem> + </itemizedlist> + </listitem> + + <listitem> + <para>In <filename class="directory">data/webdot</filename>:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>If you use a remote webdot server:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>Block everything</para> + </listitem> + <listitem> + <para>But allow + <simplelist type="inline"> + <member><filename>*.dot</filename></member> + </simplelist> + only for the remote webdot server</para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para>Otherwise, if you use a local GraphViz:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>Block everything</para> + </listitem> + <listitem> + <para>But allow: + <simplelist type="inline"> + <member><filename>*.png</filename></member> + <member><filename>*.gif</filename></member> + <member><filename>*.jpg</filename></member> + <member><filename>*.map</filename></member> + </simplelist> + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para>And if you don't use any dot:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>Block everything</para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </listitem> + + <listitem> + <para>In <filename class="directory">Bugzilla</filename>:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>Block everything</para> + </listitem> + </itemizedlist> + </listitem> + + <listitem> + <para>In <filename class="directory">template</filename>:</para> + <itemizedlist spacing="compact"> + <listitem> + <para>Block everything</para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + + <para>Be sure to test that data that should not be accessed remotely is + properly blocked. Of particular intrest is the localconfig file which + contains your database password. Also, be aware that many editors + create temporary and backup files in the working directory and that + those should also not be accessable. For more information, see + <ulink url="http://bugzilla.mozilla.org/show_bug.cgi?id=186383">bug 186383</ulink> + or + <ulink url="http://online.securityfocus.com/bid/6501">Bugtraq ID 6501</ulink>. + To test, simply point your web browser at the file; for example, to + test mozilla.org's installation, we'd try to access + <ulink url="http://bugzilla.mozilla.org/localconfig"/>. You should get + a <errorcode>403</errorcode> <errorname>Forbidden</errorname> error. + </para> + + <tip> + <para>Be sure to check <xref linkend="http"/> for instructions + specific to the webserver you use. + </para> + </tip> + + </section> + + + <section id="security-webserver-mod-throttle"> + <title>Using <filename>mod_throttle</filename> to Prevent a DOS</title> + + <note> + <para>This section only applies to people who have chosen the Apache + webserver. It may be possible to do similar things with other + webservers. Consult the documentation that came with your webserver + to find out. + </para> + </note> + + <para>It is possible for a user, by mistake or on purpose, to access + the database many times in a row which can result in very slow access + speeds for other users (effectively, a + <glossterm linkend="gloss-dos">DOS</glossterm> attack). If your + Bugzilla installation is experiencing this problem, you may install + the Apache module <filename>mod_throttle</filename> which can limit + connections by IP address. You may download this module at + <ulink url="http://www.snert.com/Software/mod_throttle/"/>. + Follow the instructions to install into your Apache install. + The command you need is + <command>ThrottleClientIP</command>. See the + <ulink url="http://www.snert.com/Software/mod_throttle/">documentation</ulink> + for more information.</para> + </section> + + + </section> + + + <section id="security-bugzilla"> + <title>Bugzilla</title> + + <section id="security-bugzilla-charset"> + <title>Prevent users injecting malicious Javascript</title> + + <para>It is possible for a Bugzilla user to take advantage of character + set encoding ambiguities to inject HTML into Bugzilla comments. This + could include malicious scripts. + Due to internationalization concerns, we are unable to + incorporate by default the code changes suggested by + <ulink + url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3"> + the CERT advisory</ulink> on this issue. + If your installation is for an English speaking audience only, making the + change below will prevent this problem. + </para> + + <para>Simply locate the following line in + <filename>Bugzilla/CGI.pm</filename>: + <programlisting>$self->charset('');</programlisting> + and change it to: + <programlisting>$self->charset('ISO-8859-1');</programlisting> + </para> + </section> + + </section> + +</chapter> + +<!-- Keep this comment at the end of the file +Local variables: +mode: sgml +sgml-always-quote-attributes:t +sgml-auto-insert-required-elements:t +sgml-balanced-tag-edit:t +sgml-exposed-tags:nil +sgml-general-insert-case:lower +sgml-indent-data:t +sgml-indent-step:2 +sgml-local-catalogs:nil +sgml-local-ecat-files:nil +sgml-minimize-attributes:nil +sgml-namecase-general:t +sgml-omittag:t +sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter") +sgml-shorttag:t +sgml-tag-region-if-active:t +End: --> |