httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Ricker <bric...@wellinx.com>
Subject Re: [users@httpd] Hackers hacking my Apache HTTP Server?
Date Tue, 02 Sep 2003 19:34:09 GMT
Just a note about web security: there are two levels of security and it
seems we are conflating the two. On one level is the "server security",
that is, how secure is Apache? On that score, I would consider Apache
one of, if not the most, secure web server out there. Very few
vulnerabilities (relatively) and very quick and easy patching.

The second level is on the level of web application security. Web
applications are run INSIDE of Apache. Their security is (mostly)
independent of Apache's security. For instance, a CGI application
written in Perl may have any number of vulnerabilities that could lead
to any number of security vulnerabilities (from root access to the box
to the ability to deface a web site. These vulnerabilities include such
things as unchecked variable boundaries, cross-site scripting
vulnerabilities, poor authentication protocols, etc.

To summarize: Apache is very secure. Your application may not be.

Ben Ricker

On Tue, 2003-09-02 at 13:53, Joseph A Nagy Jr wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Monday 01 September 2003 23:47, Jeff B. Meisenhelder wrote this in an 
> attempt to be witty or informative:
> > To my knowledge, a firewall like ZoneAlarm won't really help because
> > your port 80 (or whatever port you are running Apache on) must remain
> > open for your server to work.
> >
> > Just my .02,
> >
> > --Jeff Meisenhelder, poptart@poptartweb.org
> 
> Personally I run a firewall that allows port 80 and hide my box behind a 
> dedicated router.
> 
> >
> >
> >
> >   _____
> >
> > From: David [mailto:amdawong@starhub.net.sg]
> > Sent: Sunday, August 31, 2003 11:35 PM
> > To: HTTP Server Users
> >
> >
> > Hi guys,
> >
> > I am a complete newbie to HTTP server.
> >
> > After some reading from online tutorials and docs from the Apache
> > site, I managed to get the server up and running.
> > I now can host my own website and I am happy with it.
> >
> > However, I have read a lot about hackers hacking into people's
> > webservers. I do not what webserver they are able to hack into.
> > I do not know how they do it and that is why I am a little concern
> > here.
> >
> >
> > 1.	How secure is the Apache HTTP Server ?
> >
> > 2.	If the HTTP server is not secure, will installing a
> > firewall(i.e. free ones like ZoneAlarm) help ?
> >
> > Warmest Regards
> > David
> 
> - -- 
> Joseph A Nagy Jr, Founder
> url: http://mc-luug.homelinux.org
> irc: irc.freenode.net #mc-luug
> http://faqs.org/faqs/usenet/legends/godwin/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iD8DBQE/VOc/njt9jEvKYeARArbfAJsGx3meiQT1sWzknEFstg3i/UZvHgCgl/Aa
> dnycWPjaugYTYEx2nsALrh0=
> =Geoh
> -----END PGP SIGNATURE-----
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message