You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Pa...@clarkeamerican.com on 2006/09/11 20:40:57 UTC
[users@httpd] addressing supposed vulnerabilities on Windows apache 1.3.31
Hello all,
After a 3rd party security scan of our servers, I was handed a list of
"issues" to patch on some 2k3 servers that we are running Apache on.
However this 3rd party used Nessus and the 3 nessus ID they supplied me
with, don't really identify if the windows version of apache is vulnerable
or not. For instance- Nessus id 14471- Apache HTTP Server versions 1.3
through 1.3.27 contain vulnerabilities in htpasswd and htdigest. But it
then goes on to say that they are basing this on version number only and
that it "could" be a false positive. I have to either say yes its a false
positve or if its a true issue, address it.
I cannot find any thing that specifically says "Apache 1.3.31" for windows
has this vulnerabilty or no it does not apply to this version. It looks at
little like it only effects the Linux/unix and mac versions from what
little I could find on securityfocus.com- but I'm a bit befuddled as why
Windows would not be effected unless the implementation under windows is
just radically different.
Can anyone offer any suggestions or resources I can reference?
Thanks in Advance
Patrick Holt
********************************************************************************************************
CONFIDENTIALITY NOTICE: The information contained in this message is
intended only for the recipient and may be a confidential attorney-client
communication or may otherwise be privileged and confidential and protected
from disclosure. If the reader of this message is not the intended
recipient or an employee or agent responsible for delivering this message
to the intended recipient, please be aware that any dissemination,
forwarding, printing, copying, disclosure or distribution of this
communication is strictly prohibited. If you have received this
communication in error, please immediately notify the sender by replying to
the message and deleting it from your computer.
*********************************************************************************************************
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] addressing supposed vulnerabilities on Windows apache 1.3.31
Posted by Joshua Slive <jo...@slive.ca>.
On 9/11/06, Patrick_N_Holt@clarkeamerican.com
<Pa...@clarkeamerican.com> wrote:
>
> Hello all,
>
> After a 3rd party security scan of our servers, I was handed a list of
> "issues" to patch on some 2k3 servers that we are running Apache on.
> However this 3rd party used Nessus and the 3 nessus ID they supplied me
> with, don't really identify if the windows version of apache is vulnerable
> or not. For instance- Nessus id 14471- Apache HTTP Server versions 1.3
> through 1.3.27 contain vulnerabilities in htpasswd and htdigest. But it
> then goes on to say that they are basing this on version number only and
> that it "could" be a false positive. I have to either say yes its a false
> positve or if its a true issue, address it.
> I cannot find any thing that specifically says "Apache 1.3.31" for windows
> has this vulnerabilty or no it does not apply to this version. It looks at
> little like it only effects the Linux/unix and mac versions from what
> little I could find on securityfocus.com- but I'm a bit befuddled as why
> Windows would not be effected unless the implementation under windows is
> just radically different.
> Can anyone offer any suggestions or resources I can reference?
The only way you could be vulnerable to this is if you ran htpasswd or
htdigest from a CGI script (which is not a smart thing to do).
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org