Sorry, I should have said PCI Scan (must have dyslexia between the seat and the keyboard). This stands for "Payment Card Industry", the major credit card companies (VISA, MC, etc.) got together and established some security standards that their members must meet relative to credit card security. Once of the standards are quarterly system scans where they test the various ports of an ecommerce website. See http://www.pcicomplianceguide.org for more info.
The errors are below. Our system was scanned last night and we received 5 errors, 2 severe. All were related to our level of Apache. 1. Apache mod_proxy DoS-Apache versions between 1.3.25 and 1.3.31 may allow aremote attacker to crash the web server via manipulation of the HTTP ContentLength header. 2. Apache Buffer Overflow-Apache versions prior to 1.3.27 or 2.0.42 can result in a denial of service, and possibly, arbitoary code execution on your server. 3. Apache Rotate Logs DoS-Apache versions prio to 1.3.28 ar vulnerable to a remote denial of service attach, this on only known on windows servers. 4. Apache mod_alia and mod_rewrite Buffer Overflow-If the user has access to the Apache configuration, it's possible to take advantage of the buffer overlow vulnerability in mod_alias and mod_rewrite. 5. Apache Socket Starvation DoS-Apache versions prior to 1.3.31 and 2.0.49 are vulnerable to a denial of serivce attack. Our application is running on Windows Server 2003 Now for your questionss. I think our IBM HTTP server is 1.3.26 and the error messages references any version of Apache between 1.3.25 and 1.3.31 are vulnerable to the potential exposures (tried to attach the report but it's an image file). As for the version of OFBiz, I can never remember where to find this. When I look at the General Properties file, it references 1.7. We installed OFBiz in 2003 and due to our modifications, haven't upgraded it. If you can guide me where to find the release level I could provide it. Drew Stephens Rippe & Kingston Systems, Inc. [EMAIL PROTECTED] Phone: (513) 977-4573 Visit us at: www.rippe.com 1077 Celestial Street, Cincinnati, Ohio 45202-1696 ======================================================================== ======= -----Original Message----- From: Walter Vaughan [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 06, 2007 3:48 PM To: [email protected] Subject: Re: Upgrading our Apache Server Stephens, Drew wrote: > Due to a CPI Scan, we are being instructed to update our Apache > software. We are worried about how this will affect our OFBiz > environment; what "gotcha's" should we look out for? I am attaching a > the scan report which explains the exposures the upgrade would address. > > Any help will be appreciated. Thanks in advance. First, what is a CPI scan? Second, what OS are you running ofBiz on? Third, what version of Apache http are you on now, and what version does it this mythical CPI recommend, or does it just say upgrade? Forth, are you sure you are running ofBiz inside Apache http? -- Walter
