Tag Archives: Apache

Configuring email notifications to be friendly but secure

I have commented in the past on the generally low security level of Microsoft ASP.Net web applications which stems from the closed Microsoft monoculture and a product strategy that prioritizes ease of use over security and privacy by hiding features and functionality from the user.

In the course of a security audit/penetration test of a social networking Web site this week that was developed and deployed on Ubuntu, I was reminded yet again that we all have something to learn.  Even Linux geeks.

A common Web 2.0 rich Web application system deployment involves a Web server running php and postfix for delivery of  email notifications to Web site members. There are 4 key system requirements for such a deployment:

  • A. Deploy as a null client, i.e as a machine that receives no mail from the network, and does not deliver any mail locally. This is a hugely important requirement to not turning your Web server into a launchpad for spammers.
  • B. Rewrite the default Apache www-data@domain with something more meaningful like
    domain@domain.com without changing PHP code.   This is both a usability issue and a security issue, since it is a bad idea to advertise the fact that your Web site operations are clueless to the point of not knowing how to change default LAMP settings.
  • C. Provide a human-readable From: in the header so that the users of your great Web 2.0 social media app will see real names instead of your domain. This is definitely a usability issue unrelated to security.
  • D. Mask the email addresses of your users so that you don’t disclose personal information. This is a basic data security and privacy requirement.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Exploiting Apache DoS vulnerabilities

Apache is the world’ most popular Web server for Linux and Windows platforms, and with such a large attack surface, it’s no surprise that attackers are looking to exploit Apache software vulnerabilities. The approach used by XerXeS is somewhat novel in that it is based on a DoS (not DDos) attack and apparentlyrequires relatively modest computing resources to execute.

The object of such an attack goes beyond denial of service where a more interesting and potentially valuable attack would gain access to the back end database (typically MySQL) generally used by Apache web servers.  The trick of course is identifying – who has valuable data assets – since the vast majority of LAMP installations are small content/blogging Web sites.

Courtesy of my colleague Anthony Freed –

Infosec Island has once again gained exclusive access to a video demonstration of the XerXeS DoS attack recently developed by the infamous patriot-hacker known only as The Jester (th3j35t3r).

This new video shows a little more of the XerXeS dashboard, and reveals even more about the attack technique – watch the text box on the left as Jester mentions “Apache” for the first time outside of our private conversations…

See the video on the enhanced DoS exploit of Apache vulnerabilties

Tell your friends and colleagues about us. Thanks!
Share this

Apache.org hack

Friday morning August 28, a compromised SSH key  enabled attackers to deploy a rootkit and upload files to one of the Apache Foundation servers, the files were then synch’ed to a production server.

A blog post from the Apache Foundation explained that attackers accessed an account at a hosting provider:

“To the best of our knowledge at this time, no end users were affected by this incident,  and the attackers were not able to escalate their privileges on any machines. While we have no evidence that downloads were affected, users are always advised to check digital signatures where provided,” the staff wrote. “The attackers created several files in the directory containing files for www.apache.org, including several CGI scripts.  These files were then rsynced to our production webservers by automated processes.  At about 07:00 on August 28 2009 the attackers accessed these CGI scripts over HTTP, which spawned processes on our production web services”

Last year – we heard that SSH keys generated on certain versions of Debian and Ubuntu were considered compromised because of a highly predictable random number generator.

Considering that apache.org serves up the most popular Web server on the planet for both Windows and Linux – it’s a significant event, although being Open Source – it’s not an issue of confidentiality – but an issue of the software integrity – which is easy enough to ensure by reloading fresh copies from the SVN, of the files that were uploaded

First noted on F-Secure

Tell your friends and colleagues about us. Thanks!
Share this