*** This bug is a security vulnerability *** Private security bug reported:
This is the PHP Script on the server: <?php if (isset($_SERVER['HTTPS']) ) { echo "SECURE: This page is being accessed through a secure connection.<br><br>"; } else { echo "UNSECURE: This page is being access through an unsecure connection.<br><br>"; } This is what happens if a regular browser access the page --(pmorger@laptop-pmorger)-(0.54)-(13)-(pts/6)-(12:04:05/Wed Sep 26)-- --($:~)-- lynx --dump https://www.dominion.ch/ssl.php SECURE: This page is being accessed through a secure connection. This happens if I do telnet on the port --(pmorger@laptop-pmorger)-(0.50)-(14)-(pts/6)-(12:04:09/Wed Sep 26)-- --($:~)-- telnet www.dominion.ch 443 Trying 212.25.4.26... Connected to sanity.dominion.ch. Escape character is '^]'. GET / GET /ssl.php UNSECURE: This page is being access through an unsecure connection.<br><br>Connection closed by foreign host. The initial GET is not answered, BUT THE SECOND is and it IS CLEARTEXT. Verified with tcpdump This is very disturbing. ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: apache2 2.2.22-1ubuntu1 ProcVersionSignature: Ubuntu 3.2.0-30.48-generic 3.2.27 Uname: Linux 3.2.0-30-generic x86_64 Apache2ConfdDirListing: ['charset', 'modsecurity2.conf', 'other-vhosts-access-log', 'phpmyadmin.conf', 'security', 'localized-error-pages'] ApportVersion: 2.0.1-0ubuntu13 Architecture: amd64 Date: Wed Sep 26 10:12:43 2012 ProcEnviron: LC_CTYPE=en_US.UTF-8 TERM=screen LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: apache2 UpgradeStatus: Upgraded to precise on 2012-08-31 (25 days ago) modified.conffile..etc.apache2.ports.conf: [modified] mtime.conffile..etc.apache2.ports.conf: 2011-10-10T16:42:13.940099 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug precise -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1056758 Title: Data over Port 443 not encrypted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1056758/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs