Miva Support Tech Note #1
Miva Empresa Security Configuration Options
February 10, 2000             

email: support@miva.com
Web: http://www.miva.com/support
______________________________________________________________

NOTE: You are receiving this Tech Note because you subscribed
to one of our lists or licensed software from us. WE DO NOT 
SEND UNSOLICITED EMAIL. If you would like to be removed from 
this list, please follow the unsubscribe info at the bottom 
of this message.
______________________________________________________________

In this tech note:                      

* Introducing Miva Support Tech Notes.
* Web Site Security - Are you configured correctly?
* About the redirectonly configuration option
* About the validextensions configuration option
* Using configuration options in VirtualHost Blocks
______________________________________________________________

* Introducing Miva Support Tech Notes.

Welcome to the first Miva Support Tech Note.
The purpose of a Tech Note is to get useful information from 
the Miva Support Dept out to valued customers like you.

If you ever have a question about an item in a Tech Note, or
have any questions about using our software, please contact 
us by email: support@miva.com or by phone at:
858-490-2570 Ext. 3

Also you can contact Our Support Manager Jeff Huber directly 
by sending email to jeff@miva.com or calling:
858-490-2570 Ext. 108
______________________________________________________________

* Web Site Security - Are you configured correctly?

If you are using a standard apache install, with Miva Engine
being called via CGI-redirect, then you should make sure you 
have the following two lines in your miva.conf file.

redirectonly=yes
validextensions=.mv,.hts

This prevents people from using CGI-style URLs to circumvent 
WWW server document security, and stops users from parsing
files via the Miva Engine other than those with .mv and .hts
extensions.

For more information on using these options see the sections 
that follow.
______________________________________________________________

* About the redirectonly configuration option

When redirectonly is set to 'yes', The Miva Engine will only 
process scripts when invoked via Apache CGI-redirect, and will 
reject standard CGI requests. This prevents people from using 
CGI-style URLs to circumvent WWW server document security.

This is needed because the Miva Engine in server-safe mode is 
running at the permission levels of the owner of the file being 
parsed and thus standard CGI requests will be able to access sub 
directories of the website that the owner of the file has 
permission to access even if an .htaccess file, or similar 
measure was used to restrict access to that sub directory.

Thus if someone tried to access a sub directory that only 'user1' 
had access to, and they used a url like:

www.site.com/restricted_dir/file.html

They would be prompted to enter a username and password, or be 
given an Access Denied error but if they called the same file 
using a url like:

www.site.com/cgi-bin/miva?restricted_dir/file.html

The Miva Engine would be running as the owner of 'file.html' 
(user1 in this case) and thus that file would be parsed by 
the Miva Engine and served out to the browser.

Setting redirectonly=yes in the miva.conf file would prevent 
the use of that url to access the restricted file.
______________________________________________________________

* About the validextensions configuration option

When defined, The Miva Engine will only execute scripts with 
one of the extensions listed. Example:

validextensions=.mv,.hts

This would mean that the Miva Engine would execute scripts 
only if they had a '.mv' or '.hts' extension. Thus the 
following url:

www.site.com/cgi-bin/miva?protected/file.html

Would produce an error message.

______________________________________________________________

* Using configuration options in VirtualHost Blocks

It is important to note that the configuration options can be 
set either in the main body of the miva.conf, within 
VirtualHost blocks for specific domains, or in both places at 
once. This is useful for setting configurations very 
restrictively globally in the miva.conf file, and then set 
less restrictively within individual VirtualHost blocks.

For example you could use:

# Begin sample miva.conf file

authfile=/usr/local/miva/authfile
redirectonly=yes
validextensions=.mv

<VirtualHost site1.com>
mivaroot=/home/sites/site1/www
</VirtualHost>

<VirtualHost site2.com>
mivaroot=/home/sites/site2/www
validextensions=.mv,.hts
</VirtualHost>

<VirtualHost site3.com>
mivaroot=/home/sites/site3/www
redirectonly=no
validextensions=.mv
</VirtualHost>

# End sample miva.conf file

This would mean all Miva Script files on
site1.com had to be named with '.mv'
extensions and be called directly like:
site1.com/file.mv

Whereas site2 needed to call files like:
site2.com/file.mv

But could also call:
site1.com/file.hts

Whereas site3 could use urls like:
site1.com/cgi-bin/miva?file.mv
site1.com/file.mv

But not those like:
site1.com/cgi-bin/miva?file.hts
site1.com/cgi-bin/miva?file.html
______________________________________________________________

Non-Internet Access Information
Miva Corporation
2629 Ariane Drive
San Diego, CA 92117
858-490-2570: voice - For Support Press 3
858-490-0548: fax
______________________________________________________________

TO UNSUBSCRIBE:
Send email to support@miva.com with the following in the subject 
unsubscribe Miva Tech Notes
And the email address you sent the message from will be removed 
from the Miva Tech Notes distribution list.
______________________________________________________________

Miva is a registered trademark of Miva Corporation. "High 
Velocity  E-Commerce," Miva Mia, Miva Empresa, Miva Merchant, 
Miva Order and Miva Engine are trademarks of Miva Corporation. 
All other trademarks are the property of their respective 
owners. This document is copyright 2000 Miva Corporation. 
All rights reserved.
______________________________________________________________