Re: Apache vulnerability checking

From: Toni Heinonen (Toni.Heinonenat_private)
Date: Mon Jun 24 2002 - 12:17:02 PDT

  • Next message: Elan Hasson: "RE: Apache vulnerability checking"

    > Anyway, I thought that when I'm sure it's an apache server
    > ("Server: Apache blabla") and it crashes then it must be 
    > vulnerable. Is this always the case? This morning I received 
    > a mail from some admin who I had mailed and he told me they 
    > had already upgraded. Full server version:
    > "Server: Apache/1.3.24 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.8  
    > OpenSSL/0.9.6b mod_perl/1.26"
    > 
    > So my question is: has redhat changed something in the bad- 
    > chunked-encoding-detected-behavior in their backport or did 
    > this guy just forget to restart apache?
    
    Indeed, Red Hat 7.2 carries Apache 1.3.22 and 7.3 has 1.3.23, and
    probably for compatibility reasons the upgraded RPM didn't upgrade
    Apache to 1.3.26, but simply patches the old version's chunked encoding
    -code. So in essence it's the old, vulnerable version of Apache with a
    patch. For instance, eEye's tool reports my patched RH7.2 server as
    "vulnerable", because it only checks the server string, it doesn't try
    to exploit the vulnerability.
    
    See Red Hat's advisory:
    http://rhn.redhat.com/errata/RHSA-2002-103.html
    
    Notice, on RH7.2, the upgrade from apache-1.3.22-2.i386.rpm (base
    system, or perhaps left from earlier upgrade) to
    apache-1.3.22-6.i386.rpm. The Apache version remains the same, but the
    RPM'd package version is upgraded.
    
    -- 
    Toni Heinonen, Teleware Oy
      Wireless +358 (40) 836 1815
      Telephone +358 (9) 3434 9123
      toni.heinonenat_private
      www.teleware.fi
    



    This archive was generated by hypermail 2b30 : Mon Jun 24 2002 - 19:32:01 PDT