httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Ricker <bric...@wellinx.com>
Subject Re: [users@httpd] Killing apache(bugg?)
Date Mon, 20 Jan 2003 19:34:40 GMT
The problems you are seeing are not a problem with Apache, per se, but
rather a problem with ANY remote access by possibly hostile users. 

The end to all the problems you suggest is to root jail Apache (not
foolproof, but would take a skillful hack to break). There will be no
kill anything available, nor any other of the possibly pernicious
commands <!--#exec cmd="mv ~/passwd /etc/passwd" -->. Killing Apache
would be a sort of benign DoS attack. I would be more worried about
someone moving a file to override the password file or replacing a
binary with a trojan.

Ben Ricker
Web Security System Administrator
Wellinx.com


On Mon, 2003-01-20 at 12:40, Oskar 'Zoot' Lindgren wrote:
> SHTML also needs one line to do it:
> 
> 
> <!--#exec cmd="killall -STOP apache" -->
> 
> ----- Original Message -----
> From: "Joshua Slive" <joshua@slive.ca>
> To: <users@httpd.apache.org>
> Sent: Monday, January 20, 2003 6:02 PM
> Subject: Re: [users@httpd] Killing apache(bugg?)
> 
> 
> >
> > On Mon, 20 Jan 2003, Chris Meadors wrote:
> >
> > > Joshua Slive wrote:
> > >
> > > > Take a look at running php as a cgi and using suexec.
> > >
> > > That kinda breaks PHP.  Also the original poster said that the students
> > > would also be working with SHTML.
> >
> > I'm not sure why you say that breaks PHP.  Many people run PHP as a CGI.
> >
> > As far as shtml, that is relatively safe.  It is hard to break very much
> > with ssi, especially if any cgi includes are run through suexec.
> >
> > Joshua.
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
-- 
Ben Ricker <bricker@wellinx.com>
Wellinx.com


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message