Re: [users@httpd] Help required for security vulnerabilities in 1.3.29

[syona m <syona2k@xxxxxxxxx>]

First My sincere appologies to Joshua for the inconivience caused, Seeing these vulnerabilities panicked me. Please accept my appologies and it wont be happening again

 

to answer your questions, I have following info

1)We make use of sun solaris 8 am not sure whether this is a big or small endian 64 bit platform
2)Our software is deployed at the customer site so upgrading to new apache version doesnt sem to be a solution for us

3)Also will try to find the answers to other questions put

 

Here I have following other questions

1)How can i run the htpasswd run as setuid? AM not clear about this point

2)Is there anyways I can test by injecting inject escape sequences into an Apache error or access log?

 

Thanks for all your time and help a nd am sorry again for the incovinience caused

 

Thanks and Regards

Syona

Joshua Slive <jslive@xxxxxxxxx> wrote:

On 11/28/05, syona m wrote:
> Hi All,
>
> This is a little urgent. We are making use of apache 1.3.29 in our project
> and while running "Nessus" security scan shows what it believes to be
> security vulnerabilties found within Apache ports. They need to know if
> these are validsecurity concerns or "False Positives" . Below are the case
> ids

First, you need to think a little more about what you are doing before
sending scattershot email to ev ery address you can find. You sent
this message also to me personally, to our security notification
address (which specifically forbids messages of this type) and to
god-only-knows how many other addresses. I find this very rude and
inconsiderate since it wastes the time of the people who you want to
help you. Please consider this the next time you have a problem.

The appropriate forum for this type of question is the
users@xxxxxxxxxxxxxxxx mailing list, to which I am now replying.

To start, you can get information on apache 1.3 security vulnerabilities here:
http://httpd.apache.org/security/vulnerabilities_13.html
You'll notice this lines up quite closely with the list you quote.
All of these problems could be fixed simply by upgrading your server
to the most recent 1.3 release: 1.3.33.

Are these important security vulnerabilities? Not really, but it
depends on the context. If you are running on a 64-bit big-endian
platf orm, then CVE-2003-0993 could be a problem. If you let untrusted
users run ssi, then CVE-2004-0940 could be a problem. If you are a
frequent target of Denial of Service attacks, then several of them
might be important.

The PUT and DELETE warnings are probably a false positive, but I don't
know how Nessus is doing its testing, so I can't tell for sure. Do
you run mod_dav? Do you run a CGI script that doesn't check its
methods?

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---

 Yahoo! Music Unlimited - Access over 1 million songs. Try it free.