RE: Nessus shows security hole in mod_ssl?

John . Airey Wed, 11 Oct 2000 02:05:16 -0700
This is probably getting off-topic, but I would have thought that changing
OSs just because they release security updates would be a constant task.

I would be more worried about using Windows NT in a Windows 9x/3.x
environment, where the login security is pathetic and Microsoft have told me
personally that there are no plans to fix this at all. If anyone wants more
details mail me off-list and I'll let them know.

The IT press recently got very excited about an exploit of a bug in Linux.
The actual bug had been fixed back in July and anyone being abused in this
way hadn't installed the security update.

Regardless what you run, install the security patches as soon as practically
possible. Test them on a development machine first if you like. This
obviously includes updates to mod-ssl.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-----Original Message-----
From: R. DuFresne [mailto:[EMAIL PROTECTED]]
Sent: 10 October 2000 23:11
To: [EMAIL PROTECTED]
Subject: Re: Nessus shows security hole in mod_ssl?


looks like perhaps nessus might be seeing php and blowin up over there,
search the bugtracq archives on php.

...then get slackware, being redhat has become the kitchen sink of linux
distributions and has daily security issues poppin up, along with
mandrake...


Thanks,

Ron Dufresne


On Tue, 10 Oct 2000, Robert Williams wrote:

> Our nessus scanner started reporting
> a Vulnerability in two Apache mod_ssl servers
> after a daily scanner update last week.
> The servers on port 80 are not effected,
> nor are other servers with no mod_ssl installed.
> Here is the configuration:
> Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.4 OpenSSL/0.9.5a
> PHP/4.0.0
> 
> http://www.nessus.org/
> 
> The test script that found this problem is http_methods.nasl.
> It tests for PUT and DELETE, neither of which is enabled
> in the server httpsd.conf.   Could there be a "DELETE"
> enabled by mod_ssl?
> 
> Has any one else seen this?   Is this report bogus?
> 
> Here is the report:
> 
> _________________________________________________________
> 
> Vulnerability found on port https (443/tcp)
> 
>     We could DELETE the file '/'on your web server
>     This allows an attacker to destroy some of your pages
>     Solution : disable this method
>     Risk factor : Serious
> 
>                                                                  [ back
> to the list of ports ]
> 
> Warning found on port https (443/tcp)
> 
>     a web server is running on this port
> 
>                                                                  [ back
> to the list of ports ]
> 
> Warning found on port https (443/tcp)
> 
>     The Sambar webserver is running. It provides a webinterface for
> sending emails.
>     You may simply pass a POST request to /session/sendmail and by this
> send mails to anyone you
>     want.
>     Due to the fact that Sambar does not check HTTP referers you do not
> need direct access to the
>     server!
> 
>     See http://www.toppoint.de/~hscholz/sambar for more information.
> 
>     Solution : Try to disable this module. There might be a patch in the
> future.
> 
>     Risk factor : High
> 
>                                                                  [ back
> to the list of ports ]
> 
> Information found on port https (443/tcp)
> 
>     The remote web server type is :
>     Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.4 OpenSSL/0.9.5a
> PHP/4.0.0
> 
> 
>     We recommend that you configure your web server to return
>     bogus versions, so that it makes the cracker job more difficult
> 
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            [EMAIL PROTECTED]
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
RE: Nessus shows security hole in mod_ssl?

Reply via email to
