On 9/11/06, Patrick_N_Holt@xxxxxxxxxxxxxxxxxx <Patrick_N_Holt@xxxxxxxxxxxxxxxxxx> wrote:
Hello all, After a 3rd party security scan of our servers, I was handed a list of "issues" to patch on some 2k3 servers that we are running Apache on. However this 3rd party used Nessus and the 3 nessus ID they supplied me with, don't really identify if the windows version of apache is vulnerable or not. For instance- Nessus id 14471- Apache HTTP Server versions 1.3 through 1.3.27 contain vulnerabilities in htpasswd and htdigest. But it then goes on to say that they are basing this on version number only and that it "could" be a false positive. I have to either say yes its a false positve or if its a true issue, address it. I cannot find any thing that specifically says "Apache 1.3.31" for windows has this vulnerabilty or no it does not apply to this version. It looks at little like it only effects the Linux/unix and mac versions from what little I could find on securityfocus.com- but I'm a bit befuddled as why Windows would not be effected unless the implementation under windows is just radically different. Can anyone offer any suggestions or resources I can reference?
The only way you could be vulnerable to this is if you ran htpasswd or htdigest from a CGI script (which is not a smart thing to do). Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx