Re: How to check if my Apache version is vulnerable ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: How to check if my Apache version is vulnerable ?
From: midhun raj <smidhunraj@xxxxxxxxx>
Date: Fri, 27 Dec 2019 18:36:24 +0530
In-reply-to: <AM5PR0601MB2291BDDFD1D7E4BC11AA44DAD92A0@AM5PR0601MB2291.eurprd06.prod.outlook.com>
Reply-to: users@xxxxxxxxxxxxxxxx

https://serverfault.com/questions/362205/apache-server-vulnerability-check

What you're doing is generally ill-advised, however you can take some steps to make it safer. I'm assuming you're using a distribution that old because you have some unsupported application that "requires" that platform. If you don't have to use that old distro then, as @HTTP500 suggests, dump it for a newer distro.

@HTTP500 recommends a web application vulnerability scanner, but I'd be more apt to recommend a general vulnerability scanner like Tenable Nessus or OpenVAS.

Otherwise, secure the machine as you would normally. Start by doing the basics: Remove any unnecessary software from the installation. Disable any unnecessary services. Tighten up the firewall rules to allow only inbound and outbound traffic that you expect. Change any default passwords and remove any accounts that aren't needed. Update everything to the last supported version.

After you've done all that, start researching every piece of software that untrusted users will be interacting with for vulnerabilities. I like CVE Details, personally, but there are a number of vulnerability databases out there.

If you find a significant vulnerability in any of the software stack you should either dump the software or backport a fixed version onto your distro. The difficulty of backporting will depend on how much other software (shared libraries, etc) depends on the software being fixed. In some cases you may be able to setup another machine running the old distribution with compilers and build an RPM for a new program fairly easily. In other cases you're going to find yourself backporting a huge amount of software.

If the vulnerabilities you find can be mitigated by an application layer firewall / filter application (a "web application firewall", etc) you might consider deploying such a thing in front of the vulnerable server. I always caution that this doesn't actually mitigate the vulnerabilities, it just makes them more difficult to exploit. You have to be extra-vigilant that there aren't ways around the filtering functionality that would allow attackers to directly attack the vulnerable server.

On Fri, Dec 27, 2019 at 4:14 PM Satish Chhatpar 02 <ChhatpS02@xxxxxxxxxx> wrote:

Hi,

Any help is appreciated ?

Is there a way to check if my apache is vulnerable for below 10 ?

HTTP_Apache_SlashSlash

HTTP_DotDot

HTTP_DotDotDot

HTTP_HTML_Tag_Injection

HTTP_PHP_Script_Injection

HTTP_Unknown_Protocol

HTTP_URL_BackslashDotDot

HTTP_XSS_JavaScript_Function_Exec

HTTPS_Apache_ClearText_DoS

SQL_Injection

FYI

running on Linux OS

Red Hat Enterprise Linux Server release 7.1 (Maipo)

with Apache version

Server version: Apache/2.4.6

and

PHP version PHP 5.4.16

and

MySQL version

mysql Ver 14.14 Distrib 5.5.47, for Linux (x86_64) using readline 5.1

Regards
Satish Chhatpar

::DISCLAIMER::
________________________________________________________________________________________________________________
Confidentiality Notice from Dixons Carphone plc (registered in England & Wales No.07105905) of 1 Portal Way, London, W3 6RS ("Dixons Carphone"). The information contained in this e-mail and any attachments may be legally privileged, proprietary and/or confidential. If you received this e-mail in error, please notify the sender by return, permanently delete the e-mail and destroy all hard copies immediately. No warranty is made as to the completeness or accuracy of the information contained in this e-mail. Opinions, conclusions and statements of intent in this e-mail are those of the sender and will not bind any Dixons Carphone group company (Dixons Carphone Group) unless confirmed by an authorised representative independently of this e-mail. We do not accept responsibility for viruses; you must scan for these. E-mails sent to and from Dixons Carphone Group are routinely monitored for record keeping, quality control, training purposes, to ensure regulatory compliance and to prevent viruses and unauthorised use of our computer systems. The Carphone Warehouse Limited (registered in England & Wales No.02142673) is a member of the Dixons Carphone Group and is authorised and regulated by the Financial Conduct Authority.
________________________________________________________________________________________________________________

References:
- How to check if my Apache version is vulnerable ?
  - From: Satish Chhatpar 02

Prev by Date: How to check if my Apache version is vulnerable ?
Next by Date: SSL certificate update failed - httpd-2.4.6-90.el7
Previous by thread: How to check if my Apache version is vulnerable ?
Next by thread: SSL certificate update failed - httpd-2.4.6-90.el7
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]

Powered by Linux