httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: Apache config files and alternate config sources
Date Wed, 15 Aug 2001 16:39:33 GMT
Aaron Bannert wrote:

> The attack is the same, but the result is different. Named virtual hosts
> only really affect how the client contacts the server, and everything
> else happens in HTTP (in the Host: header). You can not prevent someone
> from altering their own DNS entries maliciously. OTOH, DNS-trusted
> runtime-config would allow an attacker to configure your httpd with
> whatever LDAP config they wanted, including SuEXEC, piped logs, etc.

You're 100% correct - which is why your network would be suitably
secured with private networks, connections based on IP address or names
defined in /etc/hosts, all the provisions normally installed at any
secure LDAP based email installation. :)

-----------------------------------------		"There's a moon
					over Bourbon Street
View raw message