Re: Dumb Apache server moves?

From: Jem Berkes (jb@users.pc9.org)
Date: 02/06/03


From: Jem Berkes <jb@users.pc9.org>
Date: Thu, 06 Feb 2003 19:29:04 GMT


> Just food for thought: What do you think are the most common security
> mistakes regarding configuration of Apache? Not so much security
> flaws, but default configutations / dumb default settings that should
> be changed?
>
> I am sort of new to this but have become the impromptu expert in my
> department. Any thoughts from the Apache world?

Things that briefly flash into my mind. Don't know if they're default.

- Letting untrusted users execute CGI scripts
- Letting untrusted users use .htaccess
- The default CGI demo programs are TROUBLE

-- 
Jem Berkes
http://www.pc-tools.net/
Windows, Linux & UNIX software


Relevant Pages

  • Dumb Apache server moves?
    ... What do you think are the most common security ... mistakes regarding configuration of Apache? ... flaws, but default configutations / dumb default settings that should ... Any thoughts from the Apache world? ...
    (comp.os.linux.security)
  • Re: Reverting back to apache2 from lighttpd: have issues
    ... saying that localhost was not configured properly and I could not use ... the simple browser url "http://localhost to open the server. ... I have several different virtualhost entries in my Apache configuration. ...
    (Debian-User)
  • Re: Reverting back to apache2 from lighttpd: have issues
    ... saying that localhost was not configured properly and I could not use ... in .php are not being allowed to run instead they ... have several different virtualhost entries in my Apache configuration. ...
    (Debian-User)
  • Re: is_dir true from cli, false from Apache
    ... I'm trying to get OpenDocMan working. ... The user apache owns and has full access to the ... of the configuration files beyond defining the site in Apache. ... configuration has no PHP directives, as can be seen in the forum post ...
    (comp.lang.php)
  • Re: (Another) simple benchmark
    ... I'm NOT using PHP - it was mentioned as a reason threaded apache is not widely used. ... This performance is objectively low even by itself, without any comparison with other operating systems (such as linux). ... What I *am* doing now is looking for someone who has a 4 CPU or bigger machine idle on which he/she can replicate this simple benchmark (it really IS simple - you need apache20 port in default configuration - everything's included) and confirm or contradict my results. ... If it's Linux, FreeBSD 4, FreeBSD 6, Windows, Solaris, ...
    (freebsd-performance)