Re: Default Apache install w/ mods

[security curmudgeon <jericho () attrition org>]

> I am going up against what looks like a standard Apache install with the
> following mods: 
>
> Apache/1.3.22 (unix) mod_perl/1.26 mod_fastcgi mod_ssl/2.8.5
> OpenSSL/0.9.6b
>
> I am not too experienced with Apache (and IIS is so easy). I have used
> the test-cgi and printenv scripts to gain some info. My question is,
> what are the vulnerabilities with the standard install (still has the
> Apache "Welcome" message)? Do the mods have any exploitable weaknesses?
> What are the default cgi-bin scripts (are there any)? I was able to use
> this server as a proxy which got me past their firewall though. :) 
>
> Sorry for the basic question. Any help would be appreciated. 

off a default 1.3.22 install
/usr/local/apache/cgi-bin/printenv
/usr/local/apache/cgi-bin/test-cgi

you really should get access to a unix box in order to install packages
like this. will greatly assist you in figuring out default settings.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/