Re: What are the dangers of having a Webserver?
From: B. Joshua Rosen (bjrosen@polybus.com)
Date: 11/29/02
- Next message: Jem Berkes: "Re: i386 linux kernel proof-of-concept DoS"
- Previous message: david: "Re: local nets"
- In reply to: Nico Kadel-Garcia: "Re: What are the dangers of having a Webserver?"
- Next in thread: Nico Kadel-Garcia: "Re: What are the dangers of having a Webserver?"
- Reply: Nico Kadel-Garcia: "Re: What are the dangers of having a Webserver?"
- Reply: Luke Vogel: "Re: What are the dangers of having a Webserver?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "B. Joshua Rosen" <bjrosen@polybus.com> Date: Fri, 29 Nov 2002 12:08:53 -0500
On Fri, 29 Nov 2002 10:30:17 -0500, Nico Kadel-Garcia wrote:
> "B. Joshua Rosen" <bjrosen@polybus.com> wrote in message
> news:pan.2002.11.29.15.22.17.469215.19328@polybus.com...
>> I keep reading about various security problems being found with Apache
>> but I'm unclear about how it's possible for someone to get into a
>> system through the webserver port, would someone please explain what
>> the dangers are of having a webserver? I have two ports open on my
>> firewall (a hardware router), 22 for SSH (I require RSA authentication
>> so I feel pretty good about that port) and 80 for HTTP. I have a simple
>> website, just HTML and JPEGs, what exposure do I have?
>
> First: Apache is vastly better than IIS for obvious reasons, but also
> better than Sun's Iplanet because it's open source and *DOCUMENTED*.
>
> Second. Very few people use only HTML/JPEG. They tend to use add-on
> sophistication such as log-on procedures, various badly written CGI
> scripts in shell recommended by their friends who don't think about
> security, do dumb things like run HTTPD as root so it can see all user's
> ~/public_html directory without having to argue about it, etc., etc.
> This can be dangerous, because these tools are often not written well
> and can be leveraged to provide more access.
>
> Third: there are very occasionally bugs in the servers themselves such
> that a long enough, cleverly formed HTTP request can cause an overflow
> of some sort or another and get the server to do something it shouldn't
> be doing, like returning a copy of the /etc/passwd file so that the
> cracker can run "crack" against it and try to guess people's passwords.
Cracking the /etc/passwd would only be useful if there is some way to
login to the systems using a password. In my case the only ports open are
for SSH and I specifically disallow password authetication, I require RSA
authentication and that would require getting access to the private keys
of the authorized systems which aren't on the system that hosts the
webserver. I'm running the webserver with the Redhat defaults which runs
the webserver as user apache not as root so in theory it shouldn't be
possible to modify anything in the /etc directory. So is there anything
else to be worried about?
- Next message: Jem Berkes: "Re: i386 linux kernel proof-of-concept DoS"
- Previous message: david: "Re: local nets"
- In reply to: Nico Kadel-Garcia: "Re: What are the dangers of having a Webserver?"
- Next in thread: Nico Kadel-Garcia: "Re: What are the dangers of having a Webserver?"
- Reply: Nico Kadel-Garcia: "Re: What are the dangers of having a Webserver?"
- Reply: Luke Vogel: "Re: What are the dangers of having a Webserver?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
