ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stephens, Drew" <Dsteph...@rippe.com>
Subject RE: Upgrading our Apache Server
Date Tue, 06 Mar 2007 22:01:13 GMT
Sorry, I should have said PCI Scan (must have dyslexia between the seat
and the keyboard).  This stands for "Payment Card Industry", the major
credit card companies (VISA, MC, etc.) got together and established some
security standards that their members must meet relative to credit card
security.  Once of the standards are quarterly system scans where they
test the various ports of an ecommerce website.  See
http://www.pcicomplianceguide.org for more info.

The errors are below.  Our system was scanned last night and we received
5 errors, 2 severe.  All were related to our level of Apache.

1.  Apache mod_proxy DoS-Apache versions between 1.3.25 and 1.3.31 may
allow aremote attacker to crash the web server via manipulation of the
HTTP ContentLength header.
2.  Apache Buffer Overflow-Apache versions prior to 1.3.27 or 2.0.42 can
result in a denial of service, and possibly, arbitoary code execution on
your server.
3.  Apache Rotate Logs DoS-Apache versions prio to 1.3.28 ar vulnerable
to a remote denial of service attach, this on only known on windows
4.  Apache mod_alia and mod_rewrite Buffer Overflow-If the user has
access to the Apache configuration, it's possible to take advantage of
the buffer overlow vulnerability in mod_alias and mod_rewrite.
5.  Apache Socket Starvation DoS-Apache versions prior to 1.3.31 and
2.0.49 are vulnerable to a denial of serivce attack.

Our application is running on Windows Server 2003

Now for your questionss.

I think our IBM HTTP server is 1.3.26 and the error messages references
any version of Apache between 1.3.25 and 1.3.31 are vulnerable to the
potential exposures (tried to attach the report but it's an image file).

As for the version of OFBiz, I can never remember where to find this.
When I look at the General Properties file, it references 1.7.  We
installed OFBiz in 2003 and due to our modifications, haven't upgraded
it.  If you can guide me where to find the release level I could provide

Drew Stephens
Rippe & Kingston Systems, Inc. 
Phone: (513) 977-4573 

Visit us at: www.rippe.com 

1077 Celestial Street, Cincinnati, Ohio 45202-1696


-----Original Message-----
From: Walter Vaughan [mailto:wvaughan@steelerubber.com] 
Sent: Tuesday, March 06, 2007 3:48 PM
To: user@ofbiz.apache.org
Subject: Re: Upgrading our Apache Server

Stephens, Drew wrote:

> Due to a CPI Scan, we are being instructed to update our Apache
> software.  We are worried about how this will affect our OFBiz 
> environment; what "gotcha's" should we look out for?  I am attaching a

> the scan report which explains the exposures the upgrade would
> Any help will be appreciated.  Thanks in advance.

First, what is a CPI scan?
Second, what OS are you running ofBiz on?
Third, what version of Apache http are you on now, and what version does
it this 
  mythical CPI recommend, or does it just say upgrade?
Forth, are you sure you are running ofBiz inside Apache http?


View raw message