Vulnerability Development mailing list archives
Re: Apache vulnerability checking
From: "Toni Heinonen" <Toni.Heinonen () teleware fi>
Date: Mon, 24 Jun 2002 22:17:02 +0300
Anyway, I thought that when I'm sure it's an apache server ("Server: Apache blabla") and it crashes then it must be vulnerable. Is this always the case? This morning I received a mail from some admin who I had mailed and he told me they had already upgraded. Full server version: "Server: Apache/1.3.24 (Unix) (Red-Hat/Linux) mod_ssl/2.8.8 OpenSSL/0.9.6b mod_perl/1.26" So my question is: has redhat changed something in the bad- chunked-encoding-detected-behavior in their backport or did this guy just forget to restart apache?
Indeed, Red Hat 7.2 carries Apache 1.3.22 and 7.3 has 1.3.23, and probably for compatibility reasons the upgraded RPM didn't upgrade Apache to 1.3.26, but simply patches the old version's chunked encoding -code. So in essence it's the old, vulnerable version of Apache with a patch. For instance, eEye's tool reports my patched RH7.2 server as "vulnerable", because it only checks the server string, it doesn't try to exploit the vulnerability. See Red Hat's advisory: http://rhn.redhat.com/errata/RHSA-2002-103.html Notice, on RH7.2, the upgrade from apache-1.3.22-2.i386.rpm (base system, or perhaps left from earlier upgrade) to apache-1.3.22-6.i386.rpm. The Apache version remains the same, but the RPM'd package version is upgraded. -- Toni Heinonen, Teleware Oy Wireless +358 (40) 836 1815 Telephone +358 (9) 3434 9123 toni.heinonen () teleware fi www.teleware.fi
Current thread:
- Apache vulnerability checking Syzop (Jun 23)
- RE: Apache vulnerability checking Elan Hasson (Jun 24)
- <Possible follow-ups>
- Re: Apache vulnerability checking Toni Heinonen (Jun 24)
- Re: Apache vulnerability checking Syzop (Jun 26)
- Re: Apache vulnerability checking Laurentiu Nicula (Jun 26)
- Message not available
- Re: Apache vulnerability checking Alex Balayan (Jun 26)
- Re: Apache vulnerability checking Syzop (Jun 26)