On 11/28/05, syona m <syona2k@xxxxxxxxx> wrote: > > First My sincere appologies to Joshua for the inconivience caused, Seeing these vulnerabilities panicked me. Please accept my appologies and it wont be happening again > > to answer your questions, I have following info > 1)We make use of sun solaris 8 am not sure whether this is a big or small endian 64 bit platform Solaris sparc is big-endian, I believe. (Solaris Intel is little-endian.) You may or may-not have 64-bit, depending on how you installed. In this case, you need to make sure that any "Deny" directive you have in httpd.conf also uses a netmask (as in Deny from 10.1.0.0/255.255.0.0). > 2)Our software is deployed at the customer site so upgrading to new apache version doesnt sem to be a solution for us That's not very good. At some point there may be a security problem that is serious. What are you going to do then? A minor upgrade of apache is quite easy to do, so that is definitely the recommended course of action. Having installed software that you are unable to patch is a very bad idea. > 1)How can i run the htpasswd run as setuid? AM not clear about this point htpasswd is *not* normally run suid, and that is fine. This bug only applies if you let untrusted users run htpasswd using priveleges other than their own. This is not a typical setup and you wouldn't have it setup that way unless you specifically changed the permissions. If you are really worried, just delete htpasswd, which you probably don't need. > 2)Is there anyways I can test by injecting inject escape sequences into an Apache error or access log? Sure, but what is the point? Escape sequences in the log are not dangerous. It has been possible to put raw garbage in the apache log since the first version of apache, and this has always been clearly documented. You should just avoid using a broken terminal emulator that may interpret the escape sequences. (To be safe, just never view the logs at the terminal. Use an editor as in "tail error_log > tmp; vi tmp".) Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|