httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] mod_coldfusion and general apache security
Date Wed, 20 Jun 2007 14:27:40 GMT
On 6/20/07, David Hartburn <David.Hartburn@dovetailservices.com> wrote:
> Hi,
>
> I've got a couple of questions regarding mod_coldfusion and issues
> running older versions of apache.
>
> First of all, does anyone have a copy of the modified source code for
> combining ColdFusion 5 and Apache 2? The official mod_coldfusion does
> not interface between the two, however resources on the web suggest some
> people wrote a modified (unsupported) version back in 2002. Being so
> long ago, I've been unable to find the code on the web anywhere.
>
> Given that a number of security flaws have arisen since Apache 2.0.52,
> would anyone advise still using it? I do have a pre-compiled
> mod_coldfusion module for that version, currently running on our old web
> servers, which would be a quick fix for the problem. My feeling is that
> we should completely drop the old version, as it is insecure and move to
> the very latest. Does anyone think that running 2.0.52 is still ok on
> live public facing web servers?

It is always best to keep up with the latest version. You'll need to
do it eventually anyway.

But to answer your specific question, read through this page:
http://httpd.apache.org/security/vulnerabilities_20.html

You'll see there that the only "important" security vulnerabilities
are a denial-of-service attack, a problem with SSLVerifyClient, and a
problem with a specific type of mod_rewrite configuration. You should
evaluate how serious those problems are for your setup.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message