* Ajai Khattri (ajai@bitblit.net) [020919 09:02] wrote: > Not seeing any announcement from my vendor (and not wanting to compile > SSL from source), > I set out to see if there was some way of avoiding being infected in the > first place. I decided to hack my Apache (1.3.26) source code to send a > bogus Server: header ...and you're still vulnerable. Don't forget mod_ssl and openssl show their versions if you talk to SSL-enabled apache ( src/modules/ssl/ssl_engine_init.c, ap_add_version_component ). So whether another kiddie compile PUD code changing it not to look for 'Apache', but 'mod_ssl|open_ssl' - you're dead. Not mentioning another, who won't check server response, but will send all exploits to every 80 port opened - you're dead too. Someone can read your "fix", apply it, and think he's safe. Giving such "advices" _can_ made whole situation worse - some people out there will look for all this "Slapper thing" with smiles thinking they're patched. Go patch the real hole. Regards MJ. -- Miroslaw.Jaworski@ipartners.pl ( Psyborg ) MJ102-RIPE Internet Partners Server Administration Department Manager
