Re: What are the dangers of having a Webserver?

From: B. Joshua Rosen (bjrosen@polybus.com)
Date: 11/29/02


From: "B. Joshua Rosen" <bjrosen@polybus.com>
Date: Fri, 29 Nov 2002 12:08:53 -0500

On Fri, 29 Nov 2002 10:30:17 -0500, Nico Kadel-Garcia wrote:

> "B. Joshua Rosen" <bjrosen@polybus.com> wrote in message
> news:pan.2002.11.29.15.22.17.469215.19328@polybus.com...
>> I keep reading about various security problems being found with Apache
>> but I'm unclear about how it's possible for someone to get into a
>> system through the webserver port, would someone please explain what
>> the dangers are of having a webserver? I have two ports open on my
>> firewall (a hardware router), 22 for SSH (I require RSA authentication
>> so I feel pretty good about that port) and 80 for HTTP. I have a simple
>> website, just HTML and JPEGs, what exposure do I have?
>
> First: Apache is vastly better than IIS for obvious reasons, but also
> better than Sun's Iplanet because it's open source and *DOCUMENTED*.
>
> Second. Very few people use only HTML/JPEG. They tend to use add-on
> sophistication such as log-on procedures, various badly written CGI
> scripts in shell recommended by their friends who don't think about
> security, do dumb things like run HTTPD as root so it can see all user's
> ~/public_html directory without having to argue about it, etc., etc.
> This can be dangerous, because these tools are often not written well
> and can be leveraged to provide more access.
>
> Third: there are very occasionally bugs in the servers themselves such
> that a long enough, cleverly formed HTTP request can cause an overflow
> of some sort or another and get the server to do something it shouldn't
> be doing, like returning a copy of the /etc/passwd file so that the
> cracker can run "crack" against it and try to guess people's passwords.
 
Cracking the /etc/passwd would only be useful if there is some way to
login to the systems using a password. In my case the only ports open are
for SSH and I specifically disallow password authetication, I require RSA
authentication and that would require getting access to the private keys
of the authorized systems which aren't on the system that hosts the
webserver. I'm running the webserver with the Redhat defaults which runs
the webserver as user apache not as root so in theory it shouldn't be
possible to modify anything in the /etc directory. So is there anything
else to be worried about?



Relevant Pages

  • Re: What are the dangers of having a Webserver?
    ... > I keep reading about various security problems being found with Apache ... > pretty good about that port) and 80 for HTTP. ... Apache is vastly better than IIS for obvious reasons, ... there are very occasionally bugs in the servers themselves such that ...
    (comp.os.linux.security)
  • Re: Free downloadable Linux os for early pentiums
    ... > early pentiums in the 166-233 range which will also run Apache ... They're running as servers. ... The P200 has Apache and MySQL running without ...
    (alt.os.linux)
  • Re: XP pro and Apache 2
    ... I'm not into Apache, but from what I gather so far, you've got it ... running on your XP box as a 'virtual webserver' and from that box you can ... This indicates that the browser is consulting a DNS server (through your ... webserver is the HOSTS file and in that file I see no reference to ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: Windows XP and IIS with .Net
    ... Yes, you could download Apache, but if you are only writing desktop you ... else that requires a webserver it requires IIS. ... need to move to Windows 2000 or Windows XP ... David Dietz -- IIS Technical Lead ...
    (microsoft.public.inetserver.iis.security)
  • Re: Restricting users to their own home directories / not letting users view other users files...?
    ... It wouldn't hurt to script something that crawls the homedirs periodically looking for perm problems, just in case something crops up. ... The webserver only needs read access to files You can make a perl script read only and then configure Apache so it's executable from within Apache but not directly from the hard drive. ...
    (freebsd-questions)