TECH TIPS
Apache Web server under attack
James Michael Stewart
01.21.2003
Rating: -3.83- (out of 5)
|
Microsoft's Internet Information Server is not the only Web server product that has vulnerabilities the vendor doesn't want to acknowledge. Apache 1.3.x for OpenBSD systems has an exploitable vulnerability that the Apache Software Foundation adamantly claimed was un-exploitable. Leave it up to the collective Internet intelligence to discover ways of doing the improbable and even some of the impossible.
The exploit, known as Apache-scalp.c enables remote crackers to access a command shell on any unpatched system running Apache 1.3.x on OpenBSD. The creator of the exploit, Gobbles Security, claims that this exploit could be easily ported against Apache versions for Sun Solaris, Linux and FreeBSD. Gobbles Security released the exploit only after repeatedly hearing that there was no exploitable vulnerability. A patch to correct this problem is available for just about every Apache platform. So, if you use Apache, it's time to patch a new hole.
What concerns me about this issue is just how difficult it is, even with the open source communities, to get developers and vendors to admit to security vulnerabilities, especially before an exploit is available in the wild. You would think that in today's security-conscious environment that any hint of a securi
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
ty vulnerability, especially on a popular and widely used product, would at least be taken seriously. With efforts to squelch or restrict public reporting of vulnerabilities for weeks or months, the lag between discovery and resolution can only become longer. If vendors are not motivated to resolve security problems until there are active media-hyped attacks occurring, then we as consumers will be getting an even shorter stick as the motivational element in this equation is silenced (i.e. prevention of public reporting of vulnerabilities).
Granting vendors a few weeks to create solutions to discovered problems and withholding public announcement of vulnerabilities until a patch is available sounds great, in an ideal world. Unfortunately, public disclosure seems to be the last remaining factor the consumer community can use to motivate vendors to resolve serious security issues in a timely manner. I think granting vendors a few days to verify and acknowledge vulnerabilities is a good thing. But I don't agree with the policy employed by many vendors: remaining completely silent or denying vulnerabilities for weeks, only then to reverse their stance once a patch is available.
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
