You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by syona m <sy...@yahoo.com> on 2005/11/28 20:34:44 UTC
[users@httpd] Help required for security vulnerabilities in 1.3.29
Hi All,
This is a little urgent. We are making use of apache 1.3.29 in our project and while running "Nessus" security scan shows what it believes to be security vulnerabilties found within Apache ports. They need to know if these are validsecurity concerns or "False Positives" . Below are the case ids
Potential vulnerability #1 (case 051121-61002) Nessus reports this
message for port 24313/tcp:
It seems that the DELETE method is enabled on your web server.
Although we could not exploit this, you'd better disable it.
Solution : disable this method
Risk factor : Medium
Potential vulnerability #2 (case 051121-61005): Nessus reports this
message for port 8080/tcp:
The target is running an Apache web server which allows for the
injection of arbitrary escape sequences into its error logs. An
attacker might use this vulnerability in an attempt to exploit similar
vulnerabilities in terminal emulators.
Potential vulnerability #3 (case 051121-61009) Nessus reports this
message for port http-proxy 8080/tcp:
Potential vulnerability #4 Nessus reports this
message for port http-proxy 8080/tcp:
The target is running an Apache web server that may not properly
handle access controls. In effect, on big-endian 64-bit platforms,
Apache fails to match allow or deny rules
containing an IP address but not a netmask.
Potential vulnerability #5 Nessus reports this
message for port 24313/tcp
It seems that the PUT method is enabled on your web server. Although
we could not exploit this, you'd better disable it
All I am looking for is some help in the above direction which can help me in analysising whether these vulnerabilities exist. As I am totally new to apache , any help will be totally appreciated
Thanks and Regards
Syona
PS I can even give my contact number if anyone has some detaiuled information
---------------------------------
Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
Re: [users@httpd] Help required for security vulnerabilities in
1.3.29
Posted by Joost de Heer <sa...@xs4all.nl>.
>> 1.3.34 was released several weeks ago (at least the Unix version, did
>> William Rowe upload the win32 1.3.34 binary yet?)
>
> http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=113147100206551&w=2
>
> I can't find the reference just now, but he later suggested this lack of
> interest means we can finally declare 1.3-on-windows dead.
Well, it looks like the win32 build of 1.3.34 is available now....
Joost
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help required for security vulnerabilities in 1.3.29
Posted by syona m <sy...@yahoo.com>.
Hi All,
I have come to know that by default DELETE and PUT methods are disable in apache webserver. Is there any way I can test for the same?
Following the tips mentioned in the following sites http://software.newsforge.com/article.pl?sid=04/09/17/1527247&tid=78&tid=48
"To test the PUT method, use a tool like curl to attempt a file upload:
curl -T test.asp http://www.mywebsite.com/
Next, try to access the file. If you can, then the PUT method is enabled.
To test the DELETE method, connect to the server using telnet and issue the following command:
DELETE / HTTP/1.0\n \n
where is the file you want to delete (ie: index.html). If the file gets removed, the DELETE method is enabled"
Using the curl tool it was seen that PUT methods is not Impactingour software
D:\curl\curl-7.15.0>curl -T README http://xxx:8080/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>405 Method Not Allowed</TITLE>
</HEAD><BODY>
<H1>Method Not Allowed</H1>
The requested method PUT is not allowed for the URL /README.<P>
<HR>
<ADDRESS>Apache/1.3.29 Server at indmft6 Port 8080</ADDRESS>
</BODY></HTML>
For using the same tool for DELETE method we were not able to login to the server
trying directly to test the method DELETE
DELETE <file> HTTP/1.0\n \n
# DELETE
DELETE: not found
#
I got this whether this a valid testing result or is command: not found is a message coming from the Solaris operating system
Please let me know is there any other way I could verify for sure this method not being used by the apache installed in my machine
Thanks for the help
Regards
Priya
"William A. Rowe, Jr." <wr...@rowe-clan.net> wrote:
Nick Kew wrote:
> On Tuesday 29 November 2005 12:17, Joost de Heer wrote:
>
>>1.3.34 was released several weeks ago (at least the Unix version, did
>>William Rowe upload the win32 1.3.34 binary yet?)
>
> http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=113147100206551&w=2
>
> I can't find the reference just now, but he later suggested this lack of
> interest means we can finally declare 1.3-on-windows dead.
Yes, at which point Randy our Guru of Win32/modperl reminded me that many
folks do use this, and he personally vouched for the installer.
So, yes, these have been up for the past week.
Bill
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------
Yahoo! Shopping
Find Great Deals on Holiday Gifts at Yahoo! Shopping
Re: [users@httpd] Help required for security vulnerabilities in
1.3.29
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Nick Kew wrote:
> On Tuesday 29 November 2005 12:17, Joost de Heer wrote:
>
>>1.3.34 was released several weeks ago (at least the Unix version, did
>>William Rowe upload the win32 1.3.34 binary yet?)
>
> http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=113147100206551&w=2
>
> I can't find the reference just now, but he later suggested this lack of
> interest means we can finally declare 1.3-on-windows dead.
Yes, at which point Randy our Guru of Win32/modperl reminded me that many
folks do use this, and he personally vouched for the installer.
So, yes, these have been up for the past week.
Bill
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help required for security vulnerabilities in 1.3.29
Posted by Nick Kew <ni...@webthing.com>.
On Tuesday 29 November 2005 12:17, Joost de Heer wrote:
> > To start, you can get information on apache 1.3 security vulnerabilities
> > here:
> > http://httpd.apache.org/security/vulnerabilities_13.html
> > You'll notice this lines up quite closely with the list you quote.
> > All of these problems could be fixed simply by upgrading your server
> > to the most recent 1.3 release: 1.3.33.
>
> 1.3.34 was released several weeks ago (at least the Unix version, did
> William Rowe upload the win32 1.3.34 binary yet?)
http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=113147100206551&w=2
I can't find the reference just now, but he later suggested this lack of
interest means we can finally declare 1.3-on-windows dead.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help required for security vulnerabilities in
1.3.29
Posted by Joost de Heer <sa...@xs4all.nl>.
> To start, you can get information on apache 1.3 security vulnerabilities
> here:
> http://httpd.apache.org/security/vulnerabilities_13.html
> You'll notice this lines up quite closely with the list you quote.
> All of these problems could be fixed simply by upgrading your server
> to the most recent 1.3 release: 1.3.33.
1.3.34 was released several weeks ago (at least the Unix version, did
William Rowe upload the win32 1.3.34 binary yet?)
Joost
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help required for security vulnerabilities in 1.3.29
Posted by Joshua Slive <js...@gmail.com>.
On 11/29/05, syona m <sy...@yahoo.com> wrote:
> I understood what you had explained but still I wanna test it to see whether
> my application is impacted. I am looking for steps in which I can test
> whether this vulnerability is exposed at my server.
Given that you are running 1.3.29, the "vulnerability" is definitely
there. Just make a request for
http://yoursite.example.com/?arbitrary-escape-sequence-here and then
view it in the access_log. That won't prove anything useful, of
course.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help required for security vulnerabilities in 1.3.29
Posted by syona m <sy...@yahoo.com>.
I understood what you had explained but still I wanna test it to see whether my application is impacted. I am looking for steps in which I can test whether this vulnerability is exposed at my server.
Joshua Slive <js...@gmail.com> wrote: On 11/29/05, syona m wrote:
> Thanks for the help Joshua
>
> Can anyone suggest me how can I test whether my server is impacted by the
> escape sequence vulnerability
> " The target is running an Apache web server which allows for the injection
> of arbitrary escape sequences into its error logs. An attacker might use
> this vulnerability in an attempt to exploit similar vulnerabilities in
> terminal emulators. "
I thought I already explained that: this is a very minor security
issue and will only affect you if you view raw log files at the
terminal using a vulnerable terminal emulator. So just don't view raw
log files at the terminal and you are fine.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------
Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
Re: [users@httpd] Help required for security vulnerabilities in 1.3.29
Posted by Joshua Slive <js...@gmail.com>.
On 11/29/05, syona m <sy...@yahoo.com> wrote:
> Thanks for the help Joshua
>
> Can anyone suggest me how can I test whether my server is impacted by the
> escape sequence vulnerability
> " The target is running an Apache web server which allows for the injection
> of arbitrary escape sequences into its error logs. An attacker might use
> this vulnerability in an attempt to exploit similar vulnerabilities in
> terminal emulators. "
I thought I already explained that: this is a very minor security
issue and will only affect you if you view raw log files at the
terminal using a vulnerable terminal emulator. So just don't view raw
log files at the terminal and you are fine.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help required for security vulnerabilities in 1.3.29
Posted by syona m <sy...@yahoo.com>.
Thanks for the help Joshua
Can anyone suggest me how can I test whether my server is impacted by the escape sequence vulnerability
" The target is running an Apache web server which allows for the injection of arbitrary escape sequences into its error logs. An attacker might use this vulnerability in an attempt to exploit similar vulnerabilities in terminal emulators. "
Thanks for help
Regards
Priya
ESN 6 393 1598
Joshua Slive <js...@gmail.com> wrote:
On 11/28/05, syona m wrote:
>
> First My sincere appologies to Joshua for the inconivience caused, Seeing these vulnerabilities panicked me. Please accept my appologies and it wont be happening again
>
> to answer your questions, I have following info
> 1)We make use of sun solaris 8 am not sure whether this is a big or small endian 64 bit platform
Solaris sparc is big-endian, I believe. (Solaris Intel is
little-endian.) You may or may-not have 64-bit, depending on how you
installed.
In this case, you need to make sure that any "Deny" directive you have
in httpd.conf also uses a netmask (as in Deny from
10.1.0.0/255.255.0.0).
> 2)Our software is deployed at the customer site so upgrading to new apache version doesnt sem to be a solution for us
That's not very good. At some point there may be a security problem
that is serious. What are you going to do then? A minor upgrade of
apache is quite easy to do, so that is definitely the recommended
course of action. Having installed software that you are unable to
patch is a very bad idea.
> 1)How can i run the htpasswd run as setuid? AM not clear about this point
htpasswd is *not* normally run suid, and that is fine. This bug only
applies if you let untrusted users run htpasswd using priveleges other
than their own. This is not a typical setup and you wouldn't have it
setup that way unless you specifically changed the permissions. If
you are really worried, just delete htpasswd, which you probably don't
need.
> 2)Is there anyways I can test by injecting inject escape sequences into an Apache error or access log?
Sure, but what is the point? Escape sequences in the log are not
dangerous. It has been possible to put raw garbage in the apache log
since the first version of apache, and this has always been clearly
documented. You should just avoid using a broken terminal emulator
that may interpret the escape sequences. (To be safe, just never view
the logs at the terminal. Use an editor as in "tail error_log > tmp;
vi tmp".)
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------
Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
Re: [users@httpd] Help required for security vulnerabilities in 1.3.29
Posted by Joshua Slive <js...@gmail.com>.
On 11/28/05, syona m <sy...@yahoo.com> wrote:
>
> First My sincere appologies to Joshua for the inconivience caused, Seeing these vulnerabilities panicked me. Please accept my appologies and it wont be happening again
>
> to answer your questions, I have following info
> 1)We make use of sun solaris 8 am not sure whether this is a big or small endian 64 bit platform
Solaris sparc is big-endian, I believe. (Solaris Intel is
little-endian.) You may or may-not have 64-bit, depending on how you
installed.
In this case, you need to make sure that any "Deny" directive you have
in httpd.conf also uses a netmask (as in Deny from
10.1.0.0/255.255.0.0).
> 2)Our software is deployed at the customer site so upgrading to new apache version doesnt sem to be a solution for us
That's not very good. At some point there may be a security problem
that is serious. What are you going to do then? A minor upgrade of
apache is quite easy to do, so that is definitely the recommended
course of action. Having installed software that you are unable to
patch is a very bad idea.
> 1)How can i run the htpasswd run as setuid? AM not clear about this point
htpasswd is *not* normally run suid, and that is fine. This bug only
applies if you let untrusted users run htpasswd using priveleges other
than their own. This is not a typical setup and you wouldn't have it
setup that way unless you specifically changed the permissions. If
you are really worried, just delete htpasswd, which you probably don't
need.
> 2)Is there anyways I can test by injecting inject escape sequences into an Apache error or access log?
Sure, but what is the point? Escape sequences in the log are not
dangerous. It has been possible to put raw garbage in the apache log
since the first version of apache, and this has always been clearly
documented. You should just avoid using a broken terminal emulator
that may interpret the escape sequences. (To be safe, just never view
the logs at the terminal. Use an editor as in "tail error_log > tmp;
vi tmp".)
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help required for security vulnerabilities in 1.3.29
Posted by syona m <sy...@yahoo.com>.
First My sincere appologies to Joshua for the inconivience caused, Seeing these vulnerabilities panicked me. Please accept my appologies and it wont be happening again
to answer your questions, I have following info
1)We make use of sun solaris 8 am not sure whether this is a big or small endian 64 bit platform
2)Our software is deployed at the customer site so upgrading to new apache version doesnt sem to be a solution for us
3)Also will try to find the answers to other questions put
Here I have following other questions
1)How can i run the htpasswd run as setuid? AM not clear about this point
2)Is there anyways I can test by injecting inject escape sequences into an Apache error or access log?
Thanks for all your time and help and am sorry again for the incovinience caused
Thanks and Regards
Syona
Joshua Slive <js...@gmail.com> wrote:
On 11/28/05, syona m wrote:
> Hi All,
>
> This is a little urgent. We are making use of apache 1.3.29 in our project
> and while running "Nessus" security scan shows what it believes to be
> security vulnerabilties found within Apache ports. They need to know if
> these are validsecurity concerns or "False Positives" . Below are the case
> ids
First, you need to think a little more about what you are doing before
sending scattershot email to every address you can find. You sent
this message also to me personally, to our security notification
address (which specifically forbids messages of this type) and to
god-only-knows how many other addresses. I find this very rude and
inconsiderate since it wastes the time of the people who you want to
help you. Please consider this the next time you have a problem.
The appropriate forum for this type of question is the
users@httpd.apache.org mailing list, to which I am now replying.
To start, you can get information on apache 1.3 security vulnerabilities here:
http://httpd.apache.org/security/vulnerabilities_13.html
You'll notice this lines up quite closely with the list you quote.
All of these problems could be fixed simply by upgrading your server
to the most recent 1.3 release: 1.3.33.
Are these important security vulnerabilities? Not really, but it
depends on the context. If you are running on a 64-bit big-endian
platform, then CVE-2003-0993 could be a problem. If you let untrusted
users run ssi, then CVE-2004-0940 could be a problem. If you are a
frequent target of Denial of Service attacks, then several of them
might be important.
The PUT and DELETE warnings are probably a false positive, but I don't
know how Nessus is doing its testing, so I can't tell for sure. Do
you run mod_dav? Do you run a CGI script that doesn't check its
methods?
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------
Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
Re: [users@httpd] Help required for security vulnerabilities in 1.3.29
Posted by Joshua Slive <js...@gmail.com>.
On 11/28/05, syona m <sy...@yahoo.com> wrote:
> Hi All,
>
> This is a little urgent. We are making use of apache 1.3.29 in our project
> and while running "Nessus" security scan shows what it believes to be
> security vulnerabilties found within Apache ports. They need to know if
> these are validsecurity concerns or "False Positives" . Below are the case
> ids
First, you need to think a little more about what you are doing before
sending scattershot email to every address you can find. You sent
this message also to me personally, to our security notification
address (which specifically forbids messages of this type) and to
god-only-knows how many other addresses. I find this very rude and
inconsiderate since it wastes the time of the people who you want to
help you. Please consider this the next time you have a problem.
The appropriate forum for this type of question is the
users@httpd.apache.org mailing list, to which I am now replying.
To start, you can get information on apache 1.3 security vulnerabilities here:
http://httpd.apache.org/security/vulnerabilities_13.html
You'll notice this lines up quite closely with the list you quote.
All of these problems could be fixed simply by upgrading your server
to the most recent 1.3 release: 1.3.33.
Are these important security vulnerabilities? Not really, but it
depends on the context. If you are running on a 64-bit big-endian
platform, then CVE-2003-0993 could be a problem. If you let untrusted
users run ssi, then CVE-2004-0940 could be a problem. If you are a
frequent target of Denial of Service attacks, then several of them
might be important.
The PUT and DELETE warnings are probably a false positive, but I don't
know how Nessus is doing its testing, so I can't tell for sure. Do
you run mod_dav? Do you run a CGI script that doesn't check its
methods?
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org