Vulnerability Development mailing list archives
Re: Apache vulnerability checking
From: Syzop <syz () dds nl>
Date: Tue, 25 Jun 2002 00:38:51 +0200
Hi, Toni Heinonen wrote:
Full server version: "Server: Apache/1.3.24 (Unix) (Red-Hat/Linux) mod_ssl/2.8.8 OpenSSL/0.9.6b mod_perl/1.26"
[..]
Indeed, Red Hat 7.2 carries Apache 1.3.22 and 7.3 has 1.3.23, and
note that this server is running 1.3.24... I'm not sure how they do that since they also have Red-Hat/Linux in their server header...
For instance, eEye's tool reports my patched RH7.2 server as "vulnerable", because it only checks the server string, it doesn't try to exploit the vulnerability.
Could you try my 'checkap' against your redhat server? I didn't know eEye's tool only checked the version, pretty strange since it's easy to make something like I did. Ofcourse in case someone is using apache 2.x + multiple connections per child or something = some other clients will be killed too... maybe they didn't want to take that risk. Thanks for the information, Bram Matthys.
Current thread:
- Apache vulnerability checking Syzop (Jun 23)
- RE: Apache vulnerability checking Elan Hasson (Jun 24)
- <Possible follow-ups>
- Re: Apache vulnerability checking Toni Heinonen (Jun 24)
- Re: Apache vulnerability checking Syzop (Jun 26)
- Re: Apache vulnerability checking Laurentiu Nicula (Jun 26)
- Message not available
- Re: Apache vulnerability checking Alex Balayan (Jun 26)
- Re: Apache vulnerability checking Syzop (Jun 26)