The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 18, 2019, 11:03:17 AM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: apache buffer overflow(s)  (Read 3184 times)
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« on: October 03, 2007, 09:53:37 AM »

Perk asked me to bring a discussion regarding the Apache buffer overflow vulnerabilities here.

It's been a while since I was into the security/hacking scene, so I had to do some digging. It would appear that the overflow I found (doubt I discovered it first, but I found it on my own while poking around on my college's hosting a couple years ago) was patched in version 1.3.37, but the description is here:

http://secunia.com/advisories/21197/

It probably still affects a large number of systems out there.

Anyway, in my mind it's impossible to completely secure a web server, no matter how foolproof, against something as simple as a buffer overflow attack or a denial of service attack for that matter. You just don't think that way when you're coding it to begin with. I try, but try as I might, I can never think of enough attack vectors to keep my apps entirely secure.

You could probably still figure out a way to exploit the mod_rewrite vulnerability post-1.3.37 if you were clever  Tongue.
Logged

hai
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #1 on: October 03, 2007, 11:08:22 AM »

was patched in version 1.3.37,

[clip]

It probably still affects a large number of systems out there.
Ah, that explains a lot... I'd known about that issue quite a while ago but thought they had that nailed in 2.x - I was hoping you could pop one of my machines and show me how it's done. I am all 2.0 on net-facing machines.

Also, I'd assume that a BO error will pass normally over a firewall - because the packets are just sent as is if they're port-forwarded to a box behind the wall... do you happen to know anything about that as well?

Anyway, in my mind it's impossible to completely secure a web server, no matter how foolproof, against something as simple as a buffer overflow attack or a denial of service attack for that matter. You just don't think that way when you're coding it to begin with. I try, but try as I might, I can never think of enough attack vectors to keep my apps entirely secure.
DDOS of course... that really has nothing to do wiht a server per se... more with the notion of simply overloading a systemn - which can happen with anything at all - put 1000x more in than it was built to handle and it will break. But regarding BO errors, I believe it is possible to limit, or even completely eliminate the possibility of a BO by simply watching data passing through - create a channel narrow enough that you can deal with every possibility of what comes through there and you should have it... I'd expect that this is how the built the 2.0 versions...

If you hear of stuff along this line I'd really like you to post about it because it is something that the majority of webmasters (guilty here as well) just don't take enough time to think about. Although I have pretty hardened systems and walls, there is always someone out there more clever than me...

Thanks for the post VS
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #2 on: October 03, 2007, 11:24:43 AM »

Yeah sorry to disappoint. I speak in generalities when I post in the newbie sections of the syndk8.
Logged

hai
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #3 on: October 03, 2007, 11:58:08 AM »

No worries mate... you seem to keep an ear in that direction... so please post if you hear something.

Thanks!
/p
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!