httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sunhux G <>
Subject [users@httpd] Offtopic: Apache Struts vulnerability: how to detect Struts & will DB encryption help
Date Sun, 10 Sep 2017 13:44:53 GMT
Understand Apache web servers (runs on Unix only) & Apache Struts
(can run in Windows & appliances) are different things:

Can the various VA scanners (like Nessus & McAfee Vulnerability Manager)
detect the presence of Struts or you'll need to login to individual servers/
endpoints or have an agent running in them (like SCCM or MS Desktop
Central) to check for the presence of Struts?

Will DB encryption help stop Struts vulnerabilities eg, the recent one?
Is the following true (someone told me):
  If hackers directly access the database (say using sql query tools/command
to get sensitive data) on an encrypted DB, they would be stopped;
  if they hacked a user password or exploited a website (that had vulnerable
Struts to the encrypted DB, it would be no help.

It's kinda saying if my PC's HDD is encrypted (with a PBA password
required), hackers can't access a powered down HDD but if the PC
is powered up & logged in & there's a remote execution vulnerability
to my OS, hackers can still get data out of my encrypted HDD via
this remote execution vulnerability : is this a fair analogy?


View raw message