<!ENTITY glossary SYSTEM "glossary.xml">
 <!ENTITY installation SYSTEM "installation.xml">
 <!ENTITY administration SYSTEM "administration.xml">
+<!ENTITY security SYSTEM "security.xml">
 <!ENTITY using SYSTEM "using.xml">
 <!ENTITY integration SYSTEM "integration.xml">
 <!ENTITY index SYSTEM "index.xml">
 <!ENTITY bz-nextver "2.20">
 <!ENTITY bz-date "2004-10-24">
 <!ENTITY % bz-devel "INCLUDE">
+<!ENTITY current-year "2004">
 
 <!ENTITY landfillbase "http://landfill.bugzilla.org/bugzilla-tip/">
 <!ENTITY bz "http://www.bugzilla.org/">
 <!-- Administering Bugzilla -->
 &administration;
 
+<!-- Securing Bugzilla -->
+&security;
+
 <!-- Customizing Bugzilla -->
 &customization;
 
 sgml-shorttag:t
 sgml-tag-region-if-active:t
 End:
--->
+-->
\ No newline at end of file
 
   <glossdiv>
     <title>0-9, high ascii</title>
 
-    <glossentry>
+    <glossentry id="gloss-htaccess">
       <glossterm>.htaccess</glossterm>
 
       <glossdef>
   <glossdiv id="gloss-d">
     <title>D</title>
 
-    <glossentry>
+    <glossentry id="gloss-daemon">
       <glossterm>daemon</glossterm>
 
       <glossdef>
         a web server, are generally run as daemons.</para>
       </glossdef>
     </glossentry>
+    
+    <glossentry id="gloss-dos">
+      <glossterm>DOS Attack</glossterm>
+      
+      <glossdef>
+        <para>A DOS, or Denial of Service attack, is when a user attempts to
+        deny access to a web server by repeatadly accessing a page or sending
+        malformed requests to a webserver. This can be effectively prevented
+        by using <filename>mod_throttle</filename> as described in
+        <xref linkend="security-webserver-mod-throttle"/>. A D-DOS, or
+        Distributed Denial of Service attack, is when these requests come
+        from multiple sources at the same time. Unfortunately, these are much
+        more difficult to defend against.
+        </para>
+      </glossdef>
+    </glossentry>
+    
   </glossdiv>
 
   <glossdiv id="gloss-g">
   <glossdiv id="gloss-s">
     <title>S</title>
 
+    <glossentry id="gloss-service">
+      <glossterm>Service</glossterm>
+      
+      <glossdef>
+        <para>In Windows NT environment, a boot-time background application
+        is refered to as a service. These are generally managed through the
+        control pannel while logged in as an account with
+        <quote>Administrator</quote> level capabilities. For more
+        information, consult your Windows manual or the MSKB.
+        </para>
+      </glossdef>
+    </glossentry>
+
     <glossentry>
       <glossterm>
         <acronym>SGML</acronym>
 sgml-tag-region-if-active:t
 End:
 -->
-
 
 <!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
-<!-- $Id: installation.xml,v 1.81 2004/11/25 08:50:59 jocuri%softhome.net Exp $ -->
+<!-- $Id: installation.xml,v 1.82 2004/12/02 04:21:27 jake%bugzilla.org Exp $ -->
 <chapter id="installing-bugzilla">
   <title>Installing Bugzilla</title>
 
       <para>Poorly-configured MySQL and Bugzilla installations have
       given attackers full access to systems in the past. Please take the
       security parts of these guidelines seriously, even for Bugzilla 
-      machines hidden away behind your firewall.</para>      
+      machines hidden away behind your firewall. Be certain to read
+      <xref linkend="security"/> for some important security tips.</para>      
     </warning>
 
     <section id="localconfig">
     <section id="mysql">
       <title>MySQL</title>
 
-      <section id="security-mysql">
-        <title>Security</title>
-
-        <para>MySQL ships as insecure by default.
-        It allows anybody to on the local machine full administrative 
-        capabilities without requiring a password; the special
-        MySQL root account (note: this is <emphasis>not</emphasis> the same as
-        the system root) also has no password.
-        Also, many installations default to running
-        <application>mysqld</application> as the system root.
+      <caution>
+        <para>MySQL's default configuration is very insecure.
+        <xref linkend="security-mysql"/> has some good information for
+        improving your installation's security.
         </para>
-
-        <orderedlist>
-          <listitem>
-            <para>To disable the anonymous user account
-            and set a password for the root user, execute the following. The
-            root user password should be different to the bugs user password
-            you set in 
-            <filename>localconfig</filename> in the previous section, 
-            and also different to
-            the password for the system root account on your machine.
-            </para>
-            <screen>  <prompt>bash$</prompt> mysql mysql
-  <prompt>mysql></prompt> DELETE FROM user WHERE user = '';
-  <prompt>mysql></prompt> UPDATE user SET password = password('<replaceable>new_password</replaceable>') WHERE user = 'root';
-  <prompt>mysql></prompt> FLUSH PRIVILEGES;</screen>
-  
-            <para>From this point forward, to run the 
-            <filename>mysql</filename> command-line client, 
-            you will need to type
-            <command>mysql -u root -p</command> and enter
-            <replaceable>new_password</replaceable> when prompted.
-            </para>
-          </listitem>
-
-          <listitem>
-            <para>If you run MySQL on the same machine as your web server, you
-            should disable remote access to MySQL by adding
-            the following to your <filename>/etc/my.cnf</filename>:
-            </para>
-            <programlisting>  [myslqd]
-  # Prevent network access to MySQL.
-  skip-networking</programlisting>
-          </listitem>
-
-          <listitem>
-            <para>Consult the documentation that came with your system for
-            information on making <application>mysqld</application> run as an
-            unprivileged user.
-            </para>
-          </listitem>
-
-          <listitem>
-            <para>For added security, you could also run MySQL, or even all 
-            of Bugzilla
-            in a chroot jail; however, instructions for doing that are beyond
-            the scope of this document.
-            </para>
-          </listitem>
-
-        </orderedlist>
-
-      </section>
-      
+      </caution>
+     
       <section id="install-setupdatabase">
         <title>Allow large attachments</title>
         
     <section id="http">
       <title>Web server</title>
       <para>Configure your web server according to the instructions in the
-      appropriate section. The Bugzilla Team recommends Apache.
+      appropriate section. The Bugzilla Team recommends Apache. No matter
+      what webserver you choose, make sure that sensitive information is
+      not remotely available by ensuring that the access controls in
+      <xref linkend="security-webserver-access"/> are properly applied.
       </para>
 
       <section id="http-apache">
 
         <para>Also, and this can't be stressed enough, make sure that files such as
         <filename>localconfig</filename> and your <filename class="directory">data</filename>
-        directory are secured as described in <xref linkend="security-access"/>.
+        directory are secured as described in <xref linkend="security-webserver-access"/>.
         </para>
 
       </section>
         </note>
       </section>
       
-      <section id="security-access">
-        <title>Web Server Access Controls</title>
-
-        <para>Users of Apache can skip this section because
-        Bugzilla ships with <filename>.htaccess</filename> files which 
-        restrict access in the manner required. 
-        Users of other webservers, read on.
-        </para>
-
-        <para>There are several files in the Bugzilla directory
-        that should not be accessible from the web. You need to configure
-        your webserver so they they aren't. Not doing this may reveal
-        sensitive information such as database passwords.
-        </para>
-
-        <itemizedlist spacing="compact">
-          <listitem>
-            <para>In the main Bugzilla directory, you should:</para>
-            <itemizedlist spacing="compact">
-              <listitem>
-                <para>Block:
-                <simplelist type="inline">
-                  <member><filename>*.pl</filename></member>
-                  <member><filename>*localconfig*</filename></member>
-                  <member><filename>runtests.sh</filename></member>
-                </simplelist>
-                </para>
-              </listitem>
-              <listitem>
-                <para>But allow:
-                <simplelist type="inline">
-                  <member><filename>localconfig.js</filename></member>
-                  <member><filename>localconfig.rdf</filename></member>
-                </simplelist>
-                </para>
-              </listitem>
-            </itemizedlist>
-          </listitem>
-
-          <listitem>
-            <para>In <filename class="directory">data</filename>:</para>
-            <itemizedlist spacing="compact">
-              <listitem>
-                <para>Block everything</para>
-              </listitem>
-              <listitem>
-                <para>But allow:
-                <simplelist type="inline">
-                  <member><filename>duplicates.rdf</filename></member>
-                </simplelist>
-                </para>
-              </listitem>
-            </itemizedlist>
-          </listitem>
-
-          <listitem>
-            <para>In <filename class="directory">data/webdot</filename>:</para>
-            <itemizedlist spacing="compact">
-              <listitem>
-                <para>If you use a remote webdot server:</para>
-                <itemizedlist spacing="compact">
-                  <listitem>
-                    <para>Block everything</para>
-                  </listitem>
-                  <listitem>
-                    <para>But allow
-                    <simplelist type="inline">
-                      <member><filename>*.dot</filename></member>
-                    </simplelist>
-                    only for the remote webdot server</para>
-                  </listitem>
-                </itemizedlist>
-              </listitem>
-              <listitem>
-                <para>Otherwise, if you use a local GraphViz:</para>
-                <itemizedlist spacing="compact">
-                  <listitem>
-                    <para>Block everything</para>
-                  </listitem>
-                  <listitem>
-                    <para>But allow:
-                    <simplelist type="inline">
-                      <member><filename>*.png</filename></member>
-                      <member><filename>*.gif</filename></member>
-                      <member><filename>*.jpg</filename></member>
-                      <member><filename>*.map</filename></member>
-                    </simplelist>
-                    </para>
-                  </listitem>
-                </itemizedlist>
-              </listitem>
-              <listitem>
-                <para>And if you don't use any dot:</para>
-                <itemizedlist spacing="compact">
-                  <listitem>
-                    <para>Block everything</para>
-                  </listitem>
-                </itemizedlist>
-              </listitem>
-            </itemizedlist>
-          </listitem>
-
-          <listitem>
-            <para>In <filename class="directory">Bugzilla</filename>:</para>
-            <itemizedlist spacing="compact">
-              <listitem>
-                <para>Block everything</para>
-              </listitem>
-            </itemizedlist>
-          </listitem>
-
-          <listitem>
-            <para>In <filename class="directory">template</filename>:</para>
-            <itemizedlist spacing="compact">
-              <listitem>
-                <para>Block everything</para>
-              </listitem>
-            </itemizedlist>
-          </listitem>
-        </itemizedlist>
-
-        <para>You should test to make sure that the files mentioned above are
-        not accessible from the Internet, especially your
-        <filename>localconfig</filename> file which contains your database
-        password. To test, simply point your web browser at the file; for
-        example, to test mozilla.org's installation, we'd try to access
-        <ulink url="http://bugzilla.mozilla.org/localconfig"/>. You should
-        get a <errorcode>403</errorcode> <errorname>Forbidden</errorname>
-        error.
-        </para>
-      </section>
       
     </section>
     
 
     </section>
     
-    <section id="content-type">
-
-      <title>Prevent users injecting malicious
-      Javascript</title>
-
-      <para>It is possible for a Bugzilla user to take advantage of character
-      set encoding ambiguities to inject HTML into Bugzilla comments. This
-      could include malicious scripts. 
-      Due to internationalization concerns, we are unable to
-      incorporate by default the code changes suggested by 
-      <ulink
-      url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">
-      the CERT advisory</ulink> on this issue.
-      If your installation is for an English speaking audience only, making the
-      change below will prevent this problem. 
-      </para>
-
-      <para>Simply locate the following line in
-      <filename>Bugzilla/CGI.pm</filename>:
-      <programlisting>$self->charset('');</programlisting>
-      and change it to:
-      <programlisting>$self->charset('ISO-8859-1');</programlisting>
-      </para>
-    </section>    
-    
-    <section id="mod-throttle"
-    xreflabel="Using mod_throttle to prevent Denial of Service attacks">
-      <title>
-      <filename>mod_throttle</filename></title>
-
-      <para>It is possible for a user, by mistake or on purpose, to access
-      the database many times in a row which can result in very slow access
-      speeds for other users. If your Bugzilla installation is experiencing
-      this problem, you may install the Apache module 
-      <filename>mod_throttle</filename>
-      which can limit connections by IP address. You may download this module
-      at 
-      <ulink url="http://www.snert.com/Software/mod_throttle/"/>.
-      Follow the instructions to install into your Apache install. 
-      <emphasis>This module only functions with the Apache web
-      server!</emphasis>
-      The command you need is 
-      <command>ThrottleClientIP</command>. See the 
-      <ulink url="http://www.snert.com/Software/mod_throttle/">documentation</ulink>
-      for more information.</para>
-    </section>
-    
-    <section id="security-networking">
-      <title>TCP/IP Ports</title>
-
-      <para>A single-box Bugzilla only requires port 80, plus port 25 if
-      you are using the optional email interface. You should firewall all 
-      other ports and/or disable services listening on them.
-      </para>
-    </section>
-
-    <section id="security-daemon">
-      <title>Daemon Accounts</title>
-
-      <para>Many daemons, such as Apache's httpd and MySQL's mysqld default to
-      running as either <quote>root</quote> or <quote>nobody</quote>. Running
-      as <quote>root</quote> introduces obvious security problems, but the
-      problems introduced by running everything as <quote>nobody</quote> may
-      not be so obvious. Basically, if you're running every daemon as
-      <quote>nobody</quote> and one of them gets compromised, they all get
-      compromised. For this reason it is recommended that you create a user
-      account for each daemon.
-      </para>
-    </section>
     <section id="apache-addtype">
       <title>Serving Alternate Formats with the right MIME type</title>
 
         <para>As is the case on Unix based systems, any web server should be
         able to handle Bugzilla; however, the Bugzilla Team still recommends
         Apache whenever asked. No matter what web server you choose, be sure
-        to pay attention to the security notes in <xref linkend="security-access"/>.
+        to pay attention to the security notes in <xref linkend="security-webserver-access"/>.
         More information on configuring specific web servers can be found in
         <xref linkend="http"/>.
         </para>
 sgml-tag-region-if-active:t
 End:
 -->
-
 
--- /dev/null
+<!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
+<!-- $Id: security.xml,v 1.1 2004/12/02 04:21:27 jake%bugzilla.org Exp $ -->
+
+<chapter id="security">
+<title>Bugzilla Security</title>
+
+  <para>While some of the items in this chapter are related to the operating
+  system Bugzilla is running on or some of the support software required to
+  run Bugzilla, it is all related to protecting your data. This is not
+  intended to be a comprehensive guide to securing Linux, Apache, MySQL, or
+  any other piece of software mentioned. There is no substitute for active
+  administration and monitoring of a machine. The key to good security is
+  actually right in the middle of the word: <emphasis>U R It</emphasis>.
+  </para>
+  
+  <para>While programmers in general always strive to write secure code,
+  accidents can and do happen. The best approach to security is to always
+  assume that the program you are working with isn't 100% secure and restrict
+  its access to other parts of your machine as much as possible.
+  </para>
+ 
+  <section id="security-os">
+  <title>Operating System</title>
+  
+    <section id="security-os-ports">
+    <title>TCP/IP Ports</title>
+    
+      <!-- TODO: Get exact number of ports -->
+      <para>The TCP/IP standard defines more than 65,000 ports for sending
+      and receiving traffic. Of those, Bugzilla needs exactly one to operate
+      (different configurations and options may require up to 3). You should
+      audit your server and make sure that you aren't listening on any ports
+      you don't need to be. It's also highly recommended that the server
+      Bugzilla resides on, along with any other machines you administer, be
+      placed behind some kinda of firewall.
+      </para>
+    
+    </section>
+    
+    <section id="security-os-accounts">
+    <title>System User Accounts</title>
+    
+      <para>Many <glossterm linkend="gloss-daemon">daemon</glossterm>, such
+      as Apache's <filename>httpd</filename> or MySQL's
+      <filename>mysqld</filename>, run as either <quote>root</quote> or
+      <quote>nobody</quote>. This is even worse on Windows machines where the
+      majority of <glossterm linkend="gloss-service">services</glossterm>
+      run as <quote>SYSTEM</quote>. While running as <quote>root</quote> or
+      <quote>SYSTEM</quote> introduces obvious security concerns, the
+      problems introduced by running everything as <quote>nobody</quote> may
+      not be so obvious. Basically, if you run every daemon as
+      <quote>nobody</quote> and one of them gets comprimised it can
+      comprimise every other daemon running as <quote>nobody</quote> on your
+      machine. For this reason it is recommended that you create a user
+      account for each daemon.
+      </para>
+    
+      <note>
+        <para>You will need to set the <option>webservergroup</option> option
+        in <filename>localconfig</filename> to the group your webserver runs
+        as. This will allow <filename>./checksetup.pl</filename> to set file
+        permissions on Unix systems so that nothing is world-writable.
+        </para>
+      </note>
+    
+    </section>
+    
+    <section id="security-os-chroot">
+    <title>The <filename>chroot</filename> Jail</title>
+    
+      <para>If your system supports it, you may wish to consider running
+      Bugzilla inside of a <filename>chroot</filename> jail. This option
+      provides unpresidented security by restricting anything running
+      inside the jail from accessing any information outside of it. If you
+      wish to use this option, please consult the documentation that came
+      with your system.
+      </para>
+      
+    </section>
+  
+  </section>
+  
+  
+  
+  <section id="security-mysql">
+  <title>MySQL</title>
+  
+    <section id="security-mysql-account">
+    <title>The MySQL System Account</title>
+    
+      <para>As mentioned in <xref linkend="security-os-accounts"/>, the MySQL
+      daemon should run as a non-privleged, unique user. Be sure to consult
+      the MySQL documentation or the documentation that came with your system
+      for instructions.
+      </para>
+    </section>
+    
+    <section id="security-mysql-root">
+    <title>The MySQL <quote>root</quote> and <quote>anonymous</quote> Users</title>
+    
+      <para>By default, MySQL comes with a <quote>root</quote> user with a
+      blank password and an <quote>anonymous</quote> user, also with a blank
+      password. In order to protect your data, the <quote>root</quote> user
+      should be given a password and the anonymous user should be disabled.
+      </para>
+      
+      <example id="security-mysql-account-root">
+      <title>Assigning the MySQL <quote>root</quote> User a Password</title>
+      
+        <screen>
+<prompt>bash$</prompt> mysql mysql
+<prompt>mysql></prompt> UPDATE user SET password = password('<replaceable>new_password</replaceable>') WHERE user = 'root';
+<prompt>mysql></prompt> FLUSH PRIVILEGES;
+        </screen>
+      </example>
+      
+      <example id="security-mysql-account-anonymous">
+      <title>Disabling the MySQL <quote>anonymous</quote> User</title>
+        <screen>
+<prompt>bash$</prompt> mysql -u root -p mysql           <co id="security-mysql-account-anonymous-mysql"/>
+<prompt>Enter Password:</prompt> <replaceable>new_password</replaceable>
+<prompt>mysql></prompt> DELETE FROM user WHERE user = '';
+<prompt>mysql></prompt> FLUSH PRIVILEGES;
+        </screen>
+        <calloutlist>
+          <callout arearefs="security-mysql-account-anonymous-mysql">
+            <para>This command assumes that you have already completed
+            <xref linkend="security-mysql-account-root"/>.
+            </para>
+          </callout>
+        </calloutlist>
+      </example>
+          
+    </section>
+    
+    <section id="security-mysql-network">
+    <title>Network Access</title>
+    
+      <para>If MySQL and your webserver both run on the same machine and you
+      have no other reason to access MySQL remotely, then you should disable
+      the network access. This, along with the suggestion in
+      <xref linkend="security-os-ports"/>, will help protect your system from
+      any remote vulnerabilites in MySQL. This is done using different
+      methods in MySQL versions 3 and 4.
+      </para>
+      
+      <example>
+      <title>Disabling Networking in MySQL 3.x</title>
+      
+        <para>Simply enter the following in <filename>/etc/my.conf</filename>:
+        <screen>
+[myslqd]
+# Prevent network access to MySQL.
+skip-networking
+        </screen>
+        </para>
+      </example>
+      
+      <example>
+      <title>Disabling Networking in MySQL 4.x</title>
+      
+        <para>There's a bug in Bugzilla about this</para>
+      </example>
+      
+    </section>
+
+
+<!-- For possible addition in the future: How to better control the bugs user
+    <section id="security-mysql-bugs">
+    <title>The bugs User</title>
+    
+    </section>
+-->
+  
+  </section>
+  
+  
+  
+  <section id="security-webserver">
+  <title>Webserver</title>
+
+    <section id="security-webserver-access">
+    <title>Disabling Remote Access to Bugzilla Configuration Files</title>
+    
+      <para>There are many files that are placed in the Bugzilla directory
+      area that should not be accessable from the web. Because of the way
+      Bugzilla is currently layed out, the list of what should and should not
+      be accessible is rather complicated. A new installation method is
+      currently in the works which should solve this by allowing files that
+      shouldn't be accessible from the web to be placed in directory outside
+      the webroot. See 
+      <ulink url="http://bugzilla.mozilla.org/show_bug.cgi?id=44659">bug 44659</ulink>
+      for more information.
+      </para>
+      
+      <tip>
+        <para>Bugzilla ships with the ability to create
+        <glossterm linkend="gloss-htaccess"><filename>.htaccess</filename></glossterm>
+        files that enforce these rules. Instructions for enabling these
+        directives in Apache can be found in <xref linkend="http-apache"/>
+        </para>
+      </tip>
+        
+      <itemizedlist spacing="compact">
+        <listitem>
+          <para>In the main Bugzilla directory, you should:</para>
+          <itemizedlist spacing="compact">
+            <listitem>
+              <para>Block:
+              <simplelist type="inline">
+                <member><filename>*.pl</filename></member>
+                <member><filename>*localconfig*</filename></member>
+                <member><filename>runtests.sh</filename></member>
+              </simplelist>
+              </para>
+            </listitem>
+            <listitem>
+              <para>But allow:
+              <simplelist type="inline">
+                <member><filename>localconfig.js</filename></member>
+                <member><filename>localconfig.rdf</filename></member>
+              </simplelist>
+              </para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+
+        <listitem>
+          <para>In <filename class="directory">data</filename>:</para>
+          <itemizedlist spacing="compact">
+            <listitem>
+              <para>Block everything</para>
+            </listitem>
+            <listitem>
+              <para>But allow:
+              <simplelist type="inline">
+                <member><filename>duplicates.rdf</filename></member>
+              </simplelist>
+              </para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+
+        <listitem>
+          <para>In <filename class="directory">data/webdot</filename>:</para>
+          <itemizedlist spacing="compact">
+            <listitem>
+              <para>If you use a remote webdot server:</para>
+              <itemizedlist spacing="compact">
+                <listitem>
+                  <para>Block everything</para>
+                </listitem>
+                <listitem>
+                  <para>But allow
+                  <simplelist type="inline">
+                    <member><filename>*.dot</filename></member>
+                  </simplelist>
+                  only for the remote webdot server</para>
+                </listitem>
+              </itemizedlist>
+            </listitem>
+            <listitem>
+              <para>Otherwise, if you use a local GraphViz:</para>
+              <itemizedlist spacing="compact">
+                <listitem>
+                  <para>Block everything</para>
+                </listitem>
+                <listitem>
+                  <para>But allow:
+                  <simplelist type="inline">
+                    <member><filename>*.png</filename></member>
+                    <member><filename>*.gif</filename></member>
+                    <member><filename>*.jpg</filename></member>
+                    <member><filename>*.map</filename></member>
+                  </simplelist>
+                  </para>
+                </listitem>
+              </itemizedlist>
+            </listitem>
+            <listitem>
+              <para>And if you don't use any dot:</para>
+              <itemizedlist spacing="compact">
+                <listitem>
+                  <para>Block everything</para>
+                </listitem>
+              </itemizedlist>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+
+        <listitem>
+          <para>In <filename class="directory">Bugzilla</filename>:</para>
+          <itemizedlist spacing="compact">
+            <listitem>
+              <para>Block everything</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+
+        <listitem>
+          <para>In <filename class="directory">template</filename>:</para>
+          <itemizedlist spacing="compact">
+            <listitem>
+              <para>Block everything</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </itemizedlist>
+
+      <para>Be sure to test that data that should not be accessed remotely is
+      properly blocked. Of particular intrest is the localconfig file which
+      contains your database password. Also, be aware that many editors
+      create temporary and backup files in the working directory and that
+      those should also not be accessable. For more information, see 
+      <ulink url="http://bugzilla.mozilla.org/show_bug.cgi?id=186383">bug 186383</ulink>
+      or
+      <ulink url="http://online.securityfocus.com/bid/6501">Bugtraq ID 6501</ulink>.
+      To test, simply point your web browser at the file; for example, to
+      test mozilla.org's installation, we'd try to access
+      <ulink url="http://bugzilla.mozilla.org/localconfig"/>. You should get
+      a <errorcode>403</errorcode> <errorname>Forbidden</errorname> error.
+      </para>
+      
+      <tip>
+        <para>Be sure to check <xref linkend="http"/> for instructions
+        specific to the webserver you use.
+        </para>
+      </tip>
+    
+    </section>
+
+
+    <section id="security-webserver-mod-throttle">
+      <title>Using <filename>mod_throttle</filename> to Prevent a DOS</title>
+
+      <note>
+        <para>This section only applies to people who have chosen the Apache
+        webserver. It may be possible to do similar things with other
+        webservers. Consult the documentation that came with your webserver
+        to find out.
+        </para>
+      </note>
+
+      <para>It is possible for a user, by mistake or on purpose, to access
+      the database many times in a row which can result in very slow access
+      speeds for other users (effectively, a
+      <glossterm linkend="gloss-dos">DOS</glossterm> attack). If your
+      Bugzilla installation is experiencing this problem, you may install
+      the Apache module <filename>mod_throttle</filename> which can limit
+      connections by IP address. You may download this module at 
+      <ulink url="http://www.snert.com/Software/mod_throttle/"/>.
+      Follow the instructions to install into your Apache install. 
+      The command you need is 
+      <command>ThrottleClientIP</command>. See the 
+      <ulink url="http://www.snert.com/Software/mod_throttle/">documentation</ulink>
+      for more information.</para>
+    </section>
+
+      
+  </section>
+  
+  
+  <section id="security-bugzilla">
+  <title>Bugzilla</title>
+
+    <section id="security-bugzilla-charset">
+    <title>Prevent users injecting malicious Javascript</title>
+
+      <para>It is possible for a Bugzilla user to take advantage of character
+      set encoding ambiguities to inject HTML into Bugzilla comments. This
+      could include malicious scripts. 
+      Due to internationalization concerns, we are unable to
+      incorporate by default the code changes suggested by 
+      <ulink
+      url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">
+      the CERT advisory</ulink> on this issue.
+      If your installation is for an English speaking audience only, making the
+      change below will prevent this problem. 
+      </para>
+
+      <para>Simply locate the following line in
+      <filename>Bugzilla/CGI.pm</filename>:
+      <programlisting>$self->charset('');</programlisting>
+      and change it to:
+      <programlisting>$self->charset('ISO-8859-1');</programlisting>
+      </para>
+    </section>    
+    
+  </section>
+
+</chapter> 
+
+<!-- Keep this comment at the end of the file 
+Local variables: 
+mode: sgml 
+sgml-always-quote-attributes:t
+sgml-auto-insert-required-elements:t
+sgml-balanced-tag-edit:t
+sgml-exposed-tags:nil
+sgml-general-insert-case:lower
+sgml-indent-data:t 
+sgml-indent-step:2 
+sgml-local-catalogs:nil
+sgml-local-ecat-files:nil 
+sgml-minimize-attributes:nil
+sgml-namecase-general:t 
+sgml-omittag:t
+sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
+sgml-shorttag:t 
+sgml-tag-region-if-active:t 
+End: -->