Date: Thu, 20 Jun 2002 15:15:09 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.ORG> To: "David G . Andersen" <danderse@cs.utah.edu> Cc: Jeff Gentry <freebsd@hexdump.org>, freebsd-security@FreeBSD.ORG Subject: Re: Apache root exploitable? Message-ID: <20020620201509.GC56227@madman.nectar.cc> In-Reply-To: <20020620134143.C14099@cs.utah.edu> References: <MBBBIOEFHOPIGEHFPADDAEIHCAAA.ghebion@phreaker.net> <20020620154453.L76822-100000@hellfire.hexdump.org> <20020620134143.C14099@cs.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jun 20, 2002 at 01:41:43PM -0600, David G . Andersen wrote: > > It's not _root_ exploitable unless you run Apache as root. > > If you do that, you're asking for it anyway. > > It may or may not be remotely exploitable. It looks a lot more > exploitable than it did a few days ago. :) David is on the money. We've yet to confirm that the bug can be exploited for arbitrary code execution, but GOBBLES's post (and se@FreeBSD.org's follow-up) do have us worried still. Assume that it can be exploited, and upgrade as soon as you can. After all, even if it is `only' a DoS, it will probably get hit a lot once someone writes a Code Red-like worm for the Win32 version. History tells us that such worms don't bother to check the operating system or version that is running before attacking, and I would expect apache < 1.3.26 servers to experience a lot of downtime as a result. :-) Cheers, -- Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020620201509.GC56227>