Hello NetByte, well kelihatannya kontradiktif, mereka sdg membahas "mis-implementation warning" mod_usertrack, bukan hole apache:
"It should be noted that this is not a vulnerability in Apache. This is only a vulnerability when an application uses these IDs to track authenticated users." :) Saturday, December 15, 2001, 10:19:02 AM, you wrote: N> Seaman aman nya suatu product, selagi buatan manusia masih bisa di bobol ama N> manusia juga, yang pernah saya baca Apache 1.3.19 di OpenBSD 2.9 bisa di N> exploit dengan mengunakan remote exploit, sayang tadi cari cari berita nya N> nggak dapet lagi. setelah hole di OpenSSH, Sekarang juga lagi N> hangat-hangatnya pada bicarain hole di apache, N> Apache mod_usertrack Predictable ID Generation Vulnerability N> Apache is a popular open-source HTTP server in wide use across the Internet. N> Apache ships with a module called 'mod_usertrack'. This module contains code N> to generate unique identifiers for individual web sessions and requests. N> The session IDs that are generated are not not random. They are generated N> using the IP address of the client, the system time and the server process N> ID. These IDs are not meant to be used for authentication purposes. N> Any applications that rely on these IDs for authentication may be vulnerable N> to ID prediction attacks. N> It should be noted that this is not a vulnerability in Apache. This is only N> a vulnerability when an application uses these IDs to track authenticated N> users. N> hal ini di alami pada apache versi N> Apache Apache 1.3.11 N> Apache Apache 1.3.12 N> Apache Apache 1.3.14 N> Apache Apache 1.3.17 N> Apache Apache 1.3.18 N> Apache Apache 1.3.19 N> Apache Apache 1.3.20 N> sekarang tergantung kita sebagai brainware nya, mana yang paling kita kuasai -- Best regards, dody suria wijaya mailto:[EMAIL PROTECTED] -- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3
