Re: [EMAIL PROTECTED] security bug in Apache regarding SSI and symbolic links?

2008-11-15 Thread Nick Kew
On 15 Nov 2008, at 03:54, Paul B. Henson wrote: Last month I had a problem where SSI appeared to be ignoring the SymlinkIfOwnerMatch configuration directive. I opened a bug, and eventually discovered what appears to be a problem in the ap_directory_walk function, where reusing cached dire

[EMAIL PROTECTED] security bug in Apache regarding SSI and symbolic links?

2008-11-14 Thread Paul B. Henson
Last month I had a problem where SSI appeared to be ignoring the SymlinkIfOwnerMatch configuration directive. I opened a bug, and eventually discovered what appears to be a problem in the ap_directory_walk function, where reusing cached directory information bypasses the symbolic link check. I th

[EMAIL PROTECTED] Security

2008-09-15 Thread EJMcLeod
Hey Guys, I have no need for anybody to have access to my server except me. I run a couple of different webpages but there just standard and don't have any. need for special security. ie no login pages and no passwords just for viewing type. Should I add extra security precautions that I sho

[EMAIL PROTECTED] Security Question

2008-05-21 Thread Chris Tracy
Hey all, Quick question about a vulnerability that was already fixed. I'm specifically talking about the mod_autoindex UTF-7 XSS vulnerability that is fixed in Apache 2.2.6. You can find it discussed under the Security Reports for Apache 2.2 ( http://httpd.apache.org/security/vulnerabilities_22.ht

Re: [EMAIL PROTECTED] security issue

2007-12-12 Thread Neil A. Hillard
Hi, Karel Kubat wrote: > Hi Hiep, > > On Dec 12, 2007, at 3:13 PM, Hiep Nguyen wrote: > >> i installed apache on centos 5 and i have some questions regarding >> security for apache. i read security tips on >> http://httpd.apache.org/docs/2.2/misc/security_tips.html and get the >> idea, but stil

Re: [EMAIL PROTECTED] security issue

2007-12-12 Thread Hiep Nguyen
On Wed, 12 Dec 2007, Karel Kubat wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Hiep, On Dec 12, 2007, at 3:13 PM, Hiep Nguyen wrote: i installed apache on centos 5 and i have some questions regarding security for apache. i read security tips on http://httpd.apache.org/docs/2.2/mi

Re: [EMAIL PROTECTED] security issue

2007-12-12 Thread Karel Kubat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Hiep, On Dec 12, 2007, at 3:13 PM, Hiep Nguyen wrote: i installed apache on centos 5 and i have some questions regarding security for apache. i read security tips on http:// httpd.apache.org/docs/2.2/misc/security_tips.html and get the idea,

[EMAIL PROTECTED] security issue

2007-12-12 Thread Hiep Nguyen
hi list, i installed apache on centos 5 and i have some questions regarding security for apache. i read security tips on http://httpd.apache.org/docs/2.2/misc/security_tips.html and get the idea, but still need some advices from guru here. /etc/httpd/conf/httpd.conf: ServerRoot "/etc/httpd

SV: [EMAIL PROTECTED] Security problem in apache with forms?

2007-10-30 Thread Harald Heggelund
tober 2007 14:32 > Til: users@httpd.apache.org > Emne: Re: [EMAIL PROTECTED] Security problem in apache with forms? > > Hey Harold, > > > "POST http://87.118.100.88/proxy5/check.php HTTP/1.1" 404 297 > > "POST http://82.228.61.77:49627/Chcks/Data_I.php HTTP/1.1&

Re: [EMAIL PROTECTED] Security problem in apache with forms?

2007-10-30 Thread Joshua Slive
On 10/30/07, Christian Folini <[EMAIL PROTECTED]> wrote: > Hey Harold, > > On Tue, Oct 30, 2007 at 02:29:18PM +0100, Harald Heggelund wrote: > > Since installing a new slackware server with apache and sendmail > > out-of-the-box, I have noticed my server is sending (moderate amounts of) > > spam wo

Re: [EMAIL PROTECTED] Security problem in apache with forms?

2007-10-30 Thread Christian Folini
Hey Harold, On Tue, Oct 30, 2007 at 02:29:18PM +0100, Harald Heggelund wrote: > Since installing a new slackware server with apache and sendmail > out-of-the-box, I have noticed my server is sending (moderate amounts of) > spam worldwide. > I suspect some webform or cgi-script. In the apache log,

[EMAIL PROTECTED] Security problem in apache with forms?

2007-10-30 Thread Harald Heggelund
Hello, Since installing a new slackware server with apache and sendmail out-of-the-box, I have noticed my server is sending (moderate amounts of) spam worldwide. I suspect some webform or cgi-script. In the apache log, I see lots of these entries: "POST http://87.118.100.88/proxy5/check.php HTTP/

Re: [EMAIL PROTECTED] Security settings in apache

2007-06-17 Thread Sander Temme
Hey Makhan, On Jun 17, 2007, at 5:47 PM, makhan wrote: Thanks man, I did just that , but i am not getting anything in my browser, even running simple commands like date or dir isn't working. I think there is something wrong with my php. What it is i can't find out. You need to go to a PHP

Re: [EMAIL PROTECTED] Security settings in apache

2007-06-17 Thread Res
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Sun, 17 Jun 2007, makhan wrote: Thanks man, I did just that , but i am not getting anything in my browser, even running simple commands like date or dir isn't working. I think there is someth

Re: [EMAIL PROTECTED] Security settings in apache

2007-06-17 Thread makhan
Thanks man, I did just that , but i am not getting anything in my browser, even running simple commands like date or dir isn't working. I think there is something wrong with my php. What it is i can't find out. Res-2 wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > NotDashEscaped:

Re: [EMAIL PROTECTED] Security settings in apache

2007-06-17 Thread Res
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Sun, 17 Jun 2007, makhan wrote: Thsnks man for your reply. I checked my php.ini file and the options which you told me. They are not set . and I am not in the safe mode either so this exec fu

Re: [EMAIL PROTECTED] Security settings in apache

2007-06-17 Thread makhan
Thsnks man for your reply. I checked my php.ini file and the options which you told me. They are not set . and I am not in the safe mode either so this exec function should work. I have checked even a simple commands like data or ls are not working correctly. Can you help me out what could be the

Re: [EMAIL PROTECTED] Security settings in apache

2007-06-17 Thread Res
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Sun, 17 Jun 2007, makhan wrote: Hi I am trying to run an external program from the php using its exec() function. But its not executing the program I think the issue is with the apache secu

Re: [EMAIL PROTECTED] Security settings in apache

2007-06-17 Thread William A. Rowe, Jr.
makhan wrote: > Hi > > I am trying to run an external program from the php using its exec() > function. But its not executing the program I think the issue is with the > apache security setting i.e its not allowing external requests to execute > programs on the server. It's a php.ini setting - s

[EMAIL PROTECTED] Security settings in apache

2007-06-17 Thread makhan
Hi I am trying to run an external program from the php using its exec() function. But its not executing the program I think the issue is with the apache security setting i.e its not allowing external requests to execute programs on the server. Can someone please guide me how I can enable these

[EMAIL PROTECTED] Security Question

2007-03-02 Thread Tom Ray [Lists]
This really isn't a Apache per se but I'm going to guess that many of you have dealt with this problem in the past and I could use some advice. I'm having issues with people trying to hack my box. They are coming in through php scripts on sites that have 777 directories. I've done a lot to make

Re: [EMAIL PROTECTED] Security glitch with Rewrite and Proxy

2006-09-28 Thread Joshua Slive
On 9/28/06, Germer, Carsten <[EMAIL PROTECTED]> wrote: Red box? I don't see a red box on this page? Wait... I'll take of my see-the-world-in-pink-glasses... Oh, that red box! >_< Gah, I'm sorry. I've updated my apache but haven't read the new documentation. S, since our system is quite depen

RE: [EMAIL PROTECTED] Security glitch with Rewrite and Proxy

2006-09-28 Thread Germer, Carsten
8, 2006 5:13 PM >To: users@httpd.apache.org >Subject: Re: [EMAIL PROTECTED] Security glitch with Rewrite and Proxy > > >On 9/28/06, Germer, Carsten <[EMAIL PROTECTED]> wrote: >> Hi :) >> >Perhaps you have modified your logformat to log origclientaddr? >> Yes, I ha

Re: [EMAIL PROTECTED] Security glitch with Rewrite and Proxy

2006-09-28 Thread Joshua Slive
On 9/28/06, Germer, Carsten <[EMAIL PROTECTED]> wrote: Hi :) >Perhaps you have modified your logformat to log origclientaddr? Yes, I have. Our modified LogFormat puts ORIGCLIENTADDR where originally the IP-adress is. >Are you running mod_cache? # mod_cache directives CacheDefaultExpire 3600 Cach

RE: [EMAIL PROTECTED] Security glitch with Rewrite and Proxy

2006-09-28 Thread Germer, Carsten
n being touched (no line in RewriteLog). Thanks for your quick reply! /Carsten >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of >Joshua Slive >Sent: Thursday, September 28, 2006 4:52 PM >To: users@httpd.apache.org >Subject: Re: [EMAIL PROT

Re: [EMAIL PROTECTED] Security glitch with Rewrite and Proxy

2006-09-28 Thread Joshua Slive
On 9/28/06, Germer, Carsten <[EMAIL PROTECTED]> wrote: Hello everyone! I hope there is someone out there who can help with this or can point me out to someone who might be able to... We use Scientific Linux IV (based on Redhat Enterprise 4) and Apache 2.2.3-1i386 (RPM from Apache) Here is the s

[EMAIL PROTECTED] Security glitch with Rewrite and Proxy

2006-09-28 Thread Germer, Carsten
Hello everyone! I hope there is someone out there who can help with this or can point me out to someone who might be able to... We use Scientific Linux IV (based on Redhat Enterprise 4) and Apache 2.2.3-1i386 (RPM from Apache) Here is the snippet from my virthost RewriteEngine on # Block ever

Re: [EMAIL PROTECTED] Security scanners.

2006-04-27 Thread Tony Guadagno
MAIL PROTECTED]> To: Sent: Thursday, April 27, 2006 8:24 PM Subject: Re: [EMAIL PROTECTED] Security scanners. > It was thus said that the Great Georgy Goshin once stated: >> >> Hello, >> >> A few of virtual hosts on my server was hacked - the content was replaced >>

RE: [EMAIL PROTECTED] Security scanners.

2006-04-27 Thread Billy Nab
: [EMAIL PROTECTED] Security scanners. There is about 50 virtual servers, I can't reinstall now, need to find the hole. The changed file has apache.apache ownership, so I think that the hole in web server of php. G. - Original Message - From: "Sean Conner" <[EM

Re: [EMAIL PROTECTED] Security scanners.

2006-04-27 Thread William A. Rowe, Jr.
Sean Conner wrote: [2] Actually, I do know of some, but they're the software programs that are currently trying to break in through an insecure webserver or CGI scripts. You can check your web logfiles and see plenty of those happening. If any of those requests are

Re: [EMAIL PROTECTED] Security scanners.

2006-04-27 Thread Georgy Goshin
, April 27, 2006 8:24 PM Subject: Re: [EMAIL PROTECTED] Security scanners. It was thus said that the Great Georgy Goshin once stated: Hello, A few of virtual hosts on my server was hacked - the content was replaced and I can't figure how they did it. Is there any software that will scan

Re: [EMAIL PROTECTED] Security scanners.

2006-04-27 Thread Sean Conner
It was thus said that the Great Georgy Goshin once stated: > > Hello, > > A few of virtual hosts on my server was hacked - the content was replaced > and I can't figure how they did it. Is there any software that will scan the > web server and checks for known security holes? I don't know of

[EMAIL PROTECTED] Security scanners.

2006-04-27 Thread Georgy Goshin
Hello, A few of virtual hosts on my server was hacked - the content was replaced and I can't figure how they did it. Is there any software that will scan the web server and checks for known security holes? Thanks, G. - T

Re: [EMAIL PROTECTED] security question

2006-01-26 Thread Sterpu Victor
Suexec dows all the job. The rights were wrong. Sterpu Victor wrote: How do I setup apache so that diffrent virtual hosts can't read one eachother files(using cgi's by example)? I know that there is a module that runs a diffrent instance of apache for every virtual host(each instance on a d

[EMAIL PROTECTED] security question

2006-01-26 Thread Sterpu Victor
How do I setup apache so that diffrent virtual hosts can't read one eachother files(using cgi's by example)? I know that there is a module that runs a diffrent instance of apache for every virtual host(each instance on a diffrent user). Does someoane recalls how is this module named? I tryed

Re: [EMAIL PROTECTED] Security risk when running as administrator?

2005-11-13 Thread Joshua Slive
On 11/13/05, Siegfried Heintze <[EMAIL PROTECTED]> wrote: > > I've been reading > http://httpd.apache.org/docs/2.0/mod/mpm_common.html#user > and was looking for a windows example. How should I set up a special account > for the web server to run in? In windows, this is done through the services

[EMAIL PROTECTED] Security risk when running as administrator?

2005-11-13 Thread Siegfried Heintze
I’ve been reading http://httpd.apache.org/docs/2.0/mod/mpm_common.html#user and was looking for a windows example. How should I set up a special account for the web server to run in? Siegfried

Re: [EMAIL PROTECTED] security issue

2005-10-19 Thread Kailash Vyas
ssage may be ignored. -Original Message-From: Kailash Vyas [mailto:[EMAIL PROTECTED]]Sent: Mittwoch, 19. Oktober 2005 10:51To: users@httpd.apache.orgSubject: [EMAIL PROTECTED] security issuehi all,I was facing some problems with webserver security.There was a process running on the server which wa

RE: [EMAIL PROTECTED] security issue

2005-10-19 Thread Boyle Owen
wen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. -Original Message- From: Kailash Vyas [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 19. Oktober 2005 10:51 To: users@httpd.apache.org Subject: [EMAIL PROTECTED] security issue hi all, I was facing some problems with

[EMAIL PROTECTED] security issue

2005-10-19 Thread Kailash Vyas
hi all, I was facing some problems with webserver security. There was a process running on the server which was downloaded to tmp directry by using wget from a script making rpc calls on the server. I have disabled the wget execute permissions but how do i make the webserver more secure for

RE: [EMAIL PROTECTED] security

2005-10-05 Thread baynaa
olved :). BR, Baynaa. -Original Message- From: Boyle Owen [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 05, 2005 8:48 PM To: users@httpd.apache.org Subject: RE: [EMAIL PROTECTED] security Plain text please... This has nothing to do with the "software" not being secure.

RE: [EMAIL PROTECTED] security

2005-10-05 Thread Boyle Owen
D] Sent: Mittwoch, 5. Oktober 2005 10:33 To: users@httpd.apache.org Subject: [EMAIL PROTECTED] security Hi, In our web, users should login to access certain contents. But today we've just realized that, one can acces those contents without loging in. In other words, just typing http://xxx.xx/g

RE: [EMAIL PROTECTED] security

2005-10-05 Thread baynaa
Can you give me a little bit more info on this issue? One of the number of the ways?     From: Peter J Milanese [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 05, 2005 4:39 PM To: users Subject: Re: [EMAIL PROTECTED] security   There are a number of ways to handle this

Re: [EMAIL PROTECTED] security

2005-10-05 Thread Peter J Milanese
PROTECTED]  Sent: 10/05/2005 04:33 AM  To:   Subject: [EMAIL PROTECTED] security Hi, In our web, users should login to access certain contents. But today we’ve just realized that, one can acces those contents without loging in. In other words, just typing http://xxx.xx/graph_view.php?action

[EMAIL PROTECTED] security

2005-10-05 Thread baynaa
Hi, In our web, users should login to access certain contents. But today we’ve just realized that, one can acces those contents without loging in. In other words, just typing http://xxx.xx/graph_view.php?action=""> brings the graphs. We are using free software, may be that’s why it is not