httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yehuda Katz <>
Subject Re: [users@httpd] Offtopic: Apache Struts vulnerability: how to detect Struts & will DB encryption help
Date Sun, 10 Sep 2017 13:57:06 GMT
Post Apache Struts questions on the Struts mailing list:

It also happens that you are wrong about where HTTPD runs. Plenty of people
have it running perfectly well on Windows.

- Y

Sent from a device with a very small keyboard and hyperactive autocorrect.

On Sep 10, 2017 9:45 AM, "Sunhux G" <> wrote:

Understand Apache web servers (runs on Unix only) & Apache Struts
(can run in Windows & appliances) are different things:

Can the various VA scanners (like Nessus & McAfee Vulnerability Manager)
detect the presence of Struts or you'll need to login to individual servers/
endpoints or have an agent running in them (like SCCM or MS Desktop
Central) to check for the presence of Struts?

Will DB encryption help stop Struts vulnerabilities eg, the recent one?
Is the following true (someone told me):
  If hackers directly access the database (say using sql query tools/command
to get sensitive data) on an encrypted DB, they would be stopped;
  if they hacked a user password or exploited a website (that had vulnerable
Struts to the encrypted DB, it would be no help.

It's kinda saying if my PC's HDD is encrypted (with a PBA password
required), hackers can't access a powered down HDD but if the PC
is powered up & logged in & there's a remote execution vulnerability
to my OS, hackers can still get data out of my encrypted HDD via
this remote execution vulnerability : is this a fair analogy?


View raw message