You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Nick Kew <ni...@webthing.com> on 2005/11/29 14:35:50 UTC
Re: [users@httpd] Help required for security vulnerabilities in 1.3.29
On Tuesday 29 November 2005 12:17, Joost de Heer wrote:
> > To start, you can get information on apache 1.3 security vulnerabilities
> > here:
> > http://httpd.apache.org/security/vulnerabilities_13.html
> > You'll notice this lines up quite closely with the list you quote.
> > All of these problems could be fixed simply by upgrading your server
> > to the most recent 1.3 release: 1.3.33.
>
> 1.3.34 was released several weeks ago (at least the Unix version, did
> William Rowe upload the win32 1.3.34 binary yet?)
http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=113147100206551&w=2
I can't find the reference just now, but he later suggested this lack of
interest means we can finally declare 1.3-on-windows dead.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help required for security vulnerabilities in
1.3.29
Posted by Joost de Heer <sa...@xs4all.nl>.
>> 1.3.34 was released several weeks ago (at least the Unix version, did
>> William Rowe upload the win32 1.3.34 binary yet?)
>
> http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=113147100206551&w=2
>
> I can't find the reference just now, but he later suggested this lack of
> interest means we can finally declare 1.3-on-windows dead.
Well, it looks like the win32 build of 1.3.34 is available now....
Joost
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help required for security vulnerabilities in 1.3.29
Posted by syona m <sy...@yahoo.com>.
Hi All,
I have come to know that by default DELETE and PUT methods are disable in apache webserver. Is there any way I can test for the same?
Following the tips mentioned in the following sites http://software.newsforge.com/article.pl?sid=04/09/17/1527247&tid=78&tid=48
"To test the PUT method, use a tool like curl to attempt a file upload:
curl -T test.asp http://www.mywebsite.com/
Next, try to access the file. If you can, then the PUT method is enabled.
To test the DELETE method, connect to the server using telnet and issue the following command:
DELETE / HTTP/1.0\n \n
where is the file you want to delete (ie: index.html). If the file gets removed, the DELETE method is enabled"
Using the curl tool it was seen that PUT methods is not Impactingour software
D:\curl\curl-7.15.0>curl -T README http://xxx:8080/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>405 Method Not Allowed</TITLE>
</HEAD><BODY>
<H1>Method Not Allowed</H1>
The requested method PUT is not allowed for the URL /README.<P>
<HR>
<ADDRESS>Apache/1.3.29 Server at indmft6 Port 8080</ADDRESS>
</BODY></HTML>
For using the same tool for DELETE method we were not able to login to the server
trying directly to test the method DELETE
DELETE <file> HTTP/1.0\n \n
# DELETE
DELETE: not found
#
I got this whether this a valid testing result or is command: not found is a message coming from the Solaris operating system
Please let me know is there any other way I could verify for sure this method not being used by the apache installed in my machine
Thanks for the help
Regards
Priya
"William A. Rowe, Jr." <wr...@rowe-clan.net> wrote:
Nick Kew wrote:
> On Tuesday 29 November 2005 12:17, Joost de Heer wrote:
>
>>1.3.34 was released several weeks ago (at least the Unix version, did
>>William Rowe upload the win32 1.3.34 binary yet?)
>
> http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=113147100206551&w=2
>
> I can't find the reference just now, but he later suggested this lack of
> interest means we can finally declare 1.3-on-windows dead.
Yes, at which point Randy our Guru of Win32/modperl reminded me that many
folks do use this, and he personally vouched for the installer.
So, yes, these have been up for the past week.
Bill
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------
Yahoo! Shopping
Find Great Deals on Holiday Gifts at Yahoo! Shopping
Re: [users@httpd] Help required for security vulnerabilities in
1.3.29
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Nick Kew wrote:
> On Tuesday 29 November 2005 12:17, Joost de Heer wrote:
>
>>1.3.34 was released several weeks ago (at least the Unix version, did
>>William Rowe upload the win32 1.3.34 binary yet?)
>
> http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=113147100206551&w=2
>
> I can't find the reference just now, but he later suggested this lack of
> interest means we can finally declare 1.3-on-windows dead.
Yes, at which point Randy our Guru of Win32/modperl reminded me that many
folks do use this, and he personally vouched for the installer.
So, yes, these have been up for the past week.
Bill
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org