Security by Cookery

Brief thread on apache user support list highlights Doing It Wrong:

Q1: How do I return 404 (not there) instead of 403 (forbidden) for my /cgi-bin/?  IBM Rational AppScan utility tells me to.  I tried […] but it didn’t work, and it blocked my application.

A1: I think you’re misreading your AppScan.  It’s warning about potentially exposing filesystem information.  But there’s nothing secret about a directory containing a web-facing application!  Having said that, [read this doc for one way to do it].

Q2: That may be the case but their recommendation is still: Issue a “404 – Not Found” response status code for a forbidden resource, or remove it completely.

A2: Either they’re wrong or you’re misreading.  But I can see what’s happening.  It’s “chinese whispers”, starting from the CIS benchmark.  Most likely someone along the way (IBM’s tech writer’s boss or somesuch) insisted that a meaningful explanation would be too difficult for their lusers, and either didn’t understand or didn’t care that it’s misleading.

Reminds me of some long and difficult arguments I’ve had over documentation in the past:

Me: (documents something non-trivial)

IdiotManager: You can’t say that, it’s too difficult

Me: I’ve put a lot of time&effort into this.  I can’t see how to simplify further without misleading the reader.

IdiotManager: [suggests a token change that makes no difference to complexity]


IdiotManager can’t/won’t back down, and we end up with something like  … well, I guess like the “security by cookery” document our questioner in the above thread was following.

Fortunately when I came to write a book, the publisher was more professional about these things.  The editors would suggest changes, but never forced destructive changes on me.  That was on balance a positive process: commonly an editor’s suggestion would lead me to rethink and improve how I expressed something.

This, I suspect, is a major reason why corporate documentation is generally so very much worse than either books or free software documentation.

Posted on September 16, 2008, in apache, documentation, rants, security. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: