Penetration Testing mailing list archives
Re: Default Apache install w/ mods
From: security curmudgeon <jericho () attrition org>
Date: Fri, 14 Dec 2001 15:12:06 -0500 (EST)
I am going up against what looks like a standard Apache install with the following mods: Apache/1.3.22 (unix) mod_perl/1.26 mod_fastcgi mod_ssl/2.8.5 OpenSSL/0.9.6b I am not too experienced with Apache (and IIS is so easy). I have used the test-cgi and printenv scripts to gain some info. My question is, what are the vulnerabilities with the standard install (still has the Apache "Welcome" message)? Do the mods have any exploitable weaknesses? What are the default cgi-bin scripts (are there any)? I was able to use this server as a proxy which got me past their firewall though. :) Sorry for the basic question. Any help would be appreciated.
off a default 1.3.22 install /usr/local/apache/cgi-bin/printenv /usr/local/apache/cgi-bin/test-cgi you really should get access to a unix box in order to install packages like this. will greatly assist you in figuring out default settings. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Default Apache install w/ mods Tim Russo (Dec 14)
- Re: Default Apache install w/ mods security curmudgeon (Dec 17)
- Re: Default Apache install w/ mods H D Moore (Dec 17)
- <Possible follow-ups>
- Re: Default Apache install w/ mods Nicolas Gregoire (Dec 17)
- Re: Default Apache install w/ mods security curmudgeon (Dec 17)