Mailing List Archive

Support open source code!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

tlug: HTTPd server access configuration/Apache security risk

tlug note from "Stephen J. Turnbull" <>
There was a thread a couple of days ago about configuring domain and
client access restrictions on CERN HTTPd.  As I mentioned then, I
don't know anything about CERN's implementation.  However, I did pick
up the latest beta of Apache (1.2b8, which you can get at - fastest for me; there
are two other Japanese mirrors which are listed on that page, YMMV).
This is recommended; there are security holes in earlier versions.

Apache does have a complete suite of access control tools.

The size of the file has nearly tripled; this is due to a couple of
additional modules, but mostly because they now include the full
web-based documentation.  The docs are very clear, and seem to apply
in general to NCSA as well.  Apparently there are several aspects
where Apache provides better documentation on NCSA HTTPd than NCS does 

The security tips are _very_ good, and I should say required reading
for anybody using the NCSA-derived servers.

Note that pre-1.1.3 versions of Apache have a serious security hole;
upgrading is highly recommended.  The 1.2bx series may have a mild
security hole, the docs are not clear on this (1.2b8 is alleged to be
nearly final, and likely to get converted directly to 1.2, yet the
security docs say this second, mild, hole will be fixed in the next
beta).  1.2b8 does _not_ have the more serious hole.  The mild hole
involves a buffer overrun that causes httpd to not see an index.html
that is actually present, thus allowing anybody to get a full
directory listing.  I don't consider this a serious hole, myself, YMMV 
of course.

                            Stephen J. Turnbull
Institute of Policy and Planning Sciences                    Yaseppochi-Gumi
University of Tsukuba            
Tel: +81 (298) 53-5091;  Fax: 55-3849    
a word from the sponsor will appear below
The TLUG mailing list is proudly sponsored by TWICS - Japan's First
Public-Access Internet System.  Now offering 20,000 yen/year flat
rate Internet access with no time charges.  Full line of corporate
Internet and intranet products are available.
Tel: 03-3351-5977   Fax: 03-3353-6096

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links