Re: [users@httpd] Help required for security vulnerabilities in 1.3.29

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for the help Joshua
 
Can anyone suggest me how can I test whether my server is impacted by the escape sequence vulnerability
" The target is running an Apache web server which allows for the injection  of arbitrary escape sequences into its error logs. An attacker might use  this vulnerability in an attempt to exploit similar vulnerabilities in  terminal emulators.                                    "
 
Thanks for help
 
Regards
Priya
ESN 6 393 1598

Joshua Slive <jslive@xxxxxxxxx> wrote:
On 11/28/05, syona m wrote:
>
> First My sincere appologies to Joshua for the inconivience caused, Seeing these vulnerabilities panicked me. Please accept my appologies and it wont be happening again
>
> to answer your questions, I have following info
> 1)We make use of sun solaris 8 am not sure whether this is a big or small endian 64 bit platform

Solaris sparc is big-endian, I believe. (Solaris Intel is
little-endian.) You may or may-not have 64-bit, depending on how you
installed.

In this case, you need to make sure that any "Deny" directive you have
in httpd.conf also uses a netmask (as in Deny from
10.1.0.0/255.255.0.0).

> 2)Our software is deployed at the customer site so upgrading to new apache version doesnt sem to be a solution for us

That's not very good. At some point there may be a security problem
that is serious. What are you going to do then? A minor upgrade of
apache is quite easy to do, so that is definitely the recommended
course of action. Having installed software that you are unable to
patch is a very bad idea.

> 1)How can i run the htpasswd run as setuid? AM not clear about this point

htpasswd is *not* normally run suid, and that is fine. This bug only
applies if you let untrusted users run htpasswd using priveleges other
than their own. This is not a typical setup and you wouldn't have it
setup that way unless you specifically changed the permissions. If
you are really worried, just delete htpasswd, which you probably don't
need.

> 2)Is there anyways I can test by injecting inject escape sequences into an Apache error or access log?

Sure, but what is the point? Escape sequences in the log are not
dangerous. It has been possible to put raw garbage in the apache log
since the first version of apache, and this has always been clearly
documented. You should just avoid using a broken terminal emulator
that may interpret the escape sequences. (To be safe, just never view
the logs at the terminal. Use an editor as in "tail error_log > tmp;
vi tmp".)

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux