Date: Thu, 20 Jun 2002 13:28:18 -0700 (PDT) From: Marc Slemko <marcs@znep.com> To: "Jacques A. Vidrine" <nectar@FreeBSD.ORG> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache root exploitable? Message-ID: <Pine.BSF.4.20.0206201327200.38173-100000@alive.znep.com> In-Reply-To: <20020620201509.GC56227@madman.nectar.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 20 Jun 2002, Jacques A. Vidrine wrote: > On Thu, Jun 20, 2002 at 01:41:43PM -0600, David G . Andersen wrote: > > > > It's not _root_ exploitable unless you run Apache as root. > > > > If you do that, you're asking for it anyway. > > > > It may or may not be remotely exploitable. It looks a lot more > > exploitable than it did a few days ago. :) > > David is on the money. We've yet to confirm that the bug can be > exploited for arbitrary code execution, but GOBBLES's post (and > se@FreeBSD.org's follow-up) do have us worried still. Yes, I have every reason to think it is exploitable for remote code execution. > After all, even if it is `only' a DoS, it will probably get hit a > lot once someone writes a Code Red-like worm for the Win32 version. > History tells us that such worms don't bother to check the operating > system or version that is running before attacking, and I would expect > apache < 1.3.26 servers to experience a lot of downtime as a result. > :-) It isn't a very serious DoS though. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.20.0206201327200.38173-100000>