Hello, welcome to the Tuesday, January 17th, 2017 edition of the Sansanet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Brussels, Belgium.

On Friday, Xavier wrote about how various backup files can get you in trouble with Apache

if you leave them behind in the document route.

Now, the solution that Xavier suggested and it's of the standard solution to this is, first of all,

don't keep those files in the document route, and then also consider blacklisting certain

extensions.

Plaquisting is always dangerous because it's easy to miss a particular extension

that may be used, for example, by an editor as a backup file that you were just not aware of.

So today I wrote a little bit a diary with a different approach for you, white list extensions

with Apache that you would like to serve.

This way you avoid the issue of having to enumerate all the bad extensions that could

possibly happen.

And at least for a reasonably simple website, the white listing approach should work just fine.

As usual, any feedback regarding the scripts that I posted is appreciated.

They work for me, but I certainly have not tested them for all possible configurations of Apache.

And of course, would also be nice to extend it, for example, to EngineX, or maybe even for mod security,

which I haven't done yet. And WordPress released version 471. Among the vulnerabilities being

fixed in this version is the famous PHP Mailer vulnerability that we have talked about around New Year.

Now, it wasn't really clear whether or not this vulnerability was actually exploitable in standard

WordPress installs.

But while the PHP Mailer Warner Warner Warner is probably the best known, there are also a number

...