How Default App Installs Can Compromise Apache
Defying good security practice, the Joomla content management system asks its users to reconfigure the Apache Web server software to a potentially dangerous setting, according to an Apache developer.
Administrators who install Joomla on a Linux-based Web server also running the Apache Web server software should know that they are "giving up a line of defense" in Apache security, warned Sander Temme. Temme is one of the developers behind the Apache Foundation's Apache HTTP Server, the server software used by the majority of Web sites on the Internet.
Temme highlighted Joomla during a conference session offering tips on securing Apache HTTP Server, typically known simply as Apache. He took issue with how Joomla, as well as other programs, requires that the Web server software have write privileges for the document root folder of the Web server.
The document root folder, or DocRoot, is the base folder in which all the files for a Web site, such as pages, scripts and images, are kept. When Apache is typically installed, it is only granted privileges to read all the content in a DocRoot, so it can serve this material to requesting browsers. It is not given permission to write to this folder, however.
"If Apache can write files to this content directory and serve those same files back out, someone else could put files there, such as malware," Temme said. "You're giving up the file permissions line of defense that Apache relies on to prevent it from doing harm to its own content. Be careful with that, it is a very important line of defense," he said.
While the Apache software does not have write permissions by default, programs such as Joomla will ask users to grant Apache write permissions in order to streamline the installation process or otherwise help facilitate some functionality.
In particular, Joomla asks Apache to write a configuration file to the root directory. It also requests write permission on behalf of Apache for a number of folders it installs.
Temme advised potential Joomla users not to go this default route. The software also allows users to manually place the configuration file in the root directory. And the write permissions for the other folders don't seem to be linked to any vital functionality, he noted. "Joomla will run pretty well without any of those directories," he said.
An open source project, Joomla had been designed to ease user deployment and maintenance, according to Open Source Matters, a not-for-profit organization overseeing the project.
In an e-mail interview, Open Source Matters president confirms that Joomla's default behavior does indeed ask Apache to write to DocRoot, and that it was designed this way to ease installation. "It's common across any [content management system] that has a graphical installer and package manager, and is an artifact of our relentless pursuit of powerful ease-of-use," he wrote. Joomla also provides instructions for placing the configuration file outside the document root, and recommends server hosts to provide additional layers of security to prevent exposing these permissions to outside users.
Although Temme highlighted Joomla only as an example of this practice -- noting that other, less widely used software programs request Apache write permissions for DocRoot as well -- he also called the Joomla developers out on their documentation as well, also for advocating poor security practice.
The documentation, he noted, instructed users to set up a Joomla database account in such a way that the application could make any changes at all to its databases, through the "grant all privileges" option.
"Why would that user be able to drop the database or drop tables? Typically, applications should not have that kind of access," he said. With this set of permissions, he said, malicious users could try to execute SQL injection attacks to delete database tables or execute other destructive tasks. Temme compared this approach to Bugzilla bug tracking software, which asks users to run a script under root to set up a database, and then establish a Bugzilla user with fewer privileges to handle operations.
Temme attributed these kinds of oversights to a developer team that is probably more concerned about making sure their software works than they are in ensuring security. Actions such as granting all privileges "is a quick fix but its not the right fix," he said.