Mailing List Archive
Support open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
tlug: HTTPd server access configuration/Apache security risk
- To: tlug@example.com
- Subject: tlug: HTTPd server access configuration/Apache security risk
- From: "Stephen J. Turnbull" <turnbull@example.com>
- Date: Mon, 21 Apr 1997 14:37:43 +0900
- Reply-To: tlug@example.com
- Sender: owner-tlug
--------------------------------------------------------
tlug note from "Stephen J. Turnbull" <turnbull@example.com>
--------------------------------------------------------
There was a thread a couple of days ago about configuring domain and
client access restrictions on CERN HTTPd. As I mentioned then, I
don't know anything about CERN's implementation. However, I did pick
up the latest beta of Apache (1.2b8, which you can get at
http://ring.aist.go.jp/archives/net/apache/ - fastest for me; there
are two other Japanese mirrors which are listed on that page, YMMV).
This is recommended; there are security holes in earlier versions.
Apache does have a complete suite of access control tools.
The size of the file has nearly tripled; this is due to a couple of
additional modules, but mostly because they now include the full
web-based documentation. The docs are very clear, and seem to apply
in general to NCSA as well. Apparently there are several aspects
where Apache provides better documentation on NCSA HTTPd than NCS does
:-)
The security tips are _very_ good, and I should say required reading
for anybody using the NCSA-derived servers.
Note that pre-1.1.3 versions of Apache have a serious security hole;
upgrading is highly recommended. The 1.2bx series may have a mild
security hole, the docs are not clear on this (1.2b8 is alleged to be
nearly final, and likely to get converted directly to 1.2, yet the
security docs say this second, mild, hole will be fixed in the next
beta). 1.2b8 does _not_ have the more serious hole. The mild hole
involves a buffer overrun that causes httpd to not see an index.html
that is actually present, thus allowing anybody to get a full
directory listing. I don't consider this a serious hole, myself, YMMV
of course.
--
Stephen J. Turnbull
Institute of Policy and Planning Sciences Yaseppochi-Gumi
University of Tsukuba http://turnbull.sk.tsukuba.ac.jp/
Tel: +81 (298) 53-5091; Fax: 55-3849 turnbull@example.com
-----------------------------------------------------------------
a word from the sponsor will appear below
-----------------------------------------------------------------
The TLUG mailing list is proudly sponsored by TWICS - Japan's First
Public-Access Internet System. Now offering 20,000 yen/year flat
rate Internet access with no time charges. Full line of corporate
Internet and intranet products are available. info@example.com
Tel: 03-3351-5977 Fax: 03-3353-6096
- Prev by Date: Re: tlug: return to sender
- Next by Date: Re: tlug: return to sender
- Prev by thread: RE: tlug: EB Reading S/W??
- Next by thread: tlug: Broken fs?
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |