From owner-freebsd-questions Wed Apr 12 16:25:17 1995 Return-Path: questions-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id QAA00330 for questions-outgoing; Wed, 12 Apr 1995 16:25:17 -0700 Received: from ain.charm.net (ain.charm.net [198.69.35.206]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id QAA00307 ; Wed, 12 Apr 1995 16:25:06 -0700 Received: (from nc@localhost) by ain.charm.net (8.6.11/8.6.9) id TAA00648; Wed, 12 Apr 1995 19:18:43 -0400 Date: Wed, 12 Apr 1995 19:18:43 -0400 (EDT) From: Network Coordinator To: freebsd-security@FreeBSD.org, freebsd-questions@FreeBSD.org Subject: httpd - security problem? (question, not a statement) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: questions-owner@FreeBSD.org Precedence: bulk I remember reading somewhere that there is a bug in a number of port 80 daemons that would allow someone to gain root access remotely through it. I know there is a bug when using httpd with Satan v1.0 (well, for as much as a I trust CERT), but when not running Satan, is there any harm in letting cern_httpd v3.0 run in standalone (full-time) mode [as root, no less]. Any ideas on securing up a system would be greatly appreciated. Thanks, Jerry.