[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: BillMax questions -- Apache version

To: <isp@derdev.com>, <questions@billmax.com>, "Internet Partners Inc. Support" <support@IPINC.NET>
Subject: Re: BillMax questions -- Apache version
From: "Frank C" <frankc@bluetruck.net>
Date: Tue, 2 Jul 2002 15:54:21 -0400
References: <200206250821.AA1305936068@mail.derdev.com>
Sender: owner-questions@billmax.com

I have recompiled apache on the billmax server and installed php, mod_perl,
mysql-auth.mod, ssl
Billmax works fine..



----- Original Message -----
From: "David Richardson" <isp@derdev.com>
To: <questions@billmax.com>; "Internet Partners Inc. Support"
<support@IPINC.NET>
Sent: Tuesday, June 25, 2002 8:21 AM
Subject: RE: BillMax questions -- Apache version


> Ted, iSpark;
>
> Thanks for your note.  My impression from the same Apache security
advisory and external discussion forums from security experts is that there
is nothing related to authenticated users that would prevent an exploit of
this bug.  I'll be happy to be shown otherwise, but that's my working
framework.
>
> Your point about BMUI on an updated box is well taken, and I'm personally
already there.
> Your point about hiding the Billmax box is also good, however my
deployment model is to proxy that box through an HTTPS page and
authentication via my upgraded apache.
>
> I run Linux on i386, and the current information about the Apache
vulnerability is that Linux child HTTPDs can be crashed causing the parent
to respawn, which takes time, and resources, and can result in a Denial of
Service.  It has been documented that (Free|Open|Net)BSDs are vulnerable to
being rooted with this vulnerability based upon their implementation of
memory management.
>
> I don't know if the scenrario for presenting the Billmax unpatched Apache
via my upgraded Apache/proxy is good enough to prevent the child HTTPD's on
the Billmax box from being crashed on my Linux i386 under an attack... WHICH
IS WHY I was asking if iSpark had any intention of addressing this issue.
>
> Thanks again Ted!
> Dave.
>
>
> ---------- Original Message ----------------------------------
> From: "Internet Partners Inc. Support" <support@ipinc.net>
> Date: Mon, 24 Jun 2002 16:08:10 -0700
>
> >Your referring to:
> >
> >http://httpd.apache.org/info/security_bulletin_20020620.txt
> >
> >It would sure be nice if they could be a bit more explicit about it.
> >The default Billmax seems to be to use HTTP authentication and there's
> >no word if this vulnerability is exploitable during the HTTP auth
> >request handshake.  Once again it's the old discredited security
> >through obscurity approach I think.
> >
> >When this came out I just made sure to tighten down the access list
> >on the Billmax server.  At least with FreeBSD, as you know, you can
> >turn on IPFirewall.  Linux has a similar facility.  I don't see the need
> >of having the Billmax server world-accessible, and even BMUI can be run
> >on a separate system.
> >
> >Ted
> >
> >>-----Original Message-----
> >>From: owner-questions@billmax.com [mailto:owner-questions@billmax.com]On
> >>Behalf Of David Richardson
> >>Sent: Saturday, June 22, 2002 6:48 AM
> >>To: questions@billmax.com
> >>Subject: BillMax questions -- Apache version
> >>
> >>
> >>To Billmax: for v1.5.4 of Billmax, have you prepared a patch to
> >>Apache to fix the heap chunk vulnerability?  This is a critical
> >>fix to Apache.
> >>
> >>To List Members: Does anyone have any experience/insight into
> >>recompliling Apache within the Billmax environment so that BM
> >>doesn't puke?  i.e. modules, paths, settings, includes, chants and
murmurs?
> >>
> >>To All: my Billmax v1.5.4 reports Apache 1.3.9.  This is, to say
> >>the least, really old vis a vis the current version of 1.3.26
> >>(includes heap chunk fix).
> >>
> >>The heap chunk has been proved to be vulnerable on 32-bit Free|Open|
> >>NetBSD systems and it's being heavily researched for Linux'
> >>Intel32 for vulnerabilities.
> >>
> >>Thanks,
> >>Dave.
> >>-------------------------------------------------------------------
> >>----------
> >>To unsubscribe from the "BillMax Questions" mailing list, please
> >>send a message to "majordomo@billmax.com" with "unsubscribe questions"
> >>in the message body. The message must be sent from the exact email
> >>address on the list.
> >>
> >
> >
> --------------------------------------------------------------------------
---
> To unsubscribe from the "BillMax Questions" mailing list, please
> send a message to "majordomo@billmax.com" with "unsubscribe questions"
> in the message body. The message must be sent from the exact email
> address on the list.
>

-----------------------------------------------------------------------------
To unsubscribe from the "BillMax Questions" mailing list, please
send a message to "majordomo@billmax.com" with "unsubscribe questions"
in the message body. The message must be sent from the exact email
address on the list.

Next by Date: BillMax questions -- How Do We Go Back and Charge For Services?
Next by thread: BillMax questions -- How Do We Go Back and Charge For Services?
Index(es):
- Date
- Thread