On 4/2/2010 1:47 PM, Franklin, Meyer wrote: > Jeff Trawick requested I forward this request for a proper audience. > > Thanks. > > > > *From:* Franklin, Meyer > *Sent:* Friday, April 02, 2010 9:03 AM > *To:* 'secur...@apache.org' > *Cc:* Hill, Richard > *Subject:* Basic question about vulnerability if a specific module is > NOT loaded > > > > Hello team, > > > > Our company currently deploys Apache Web Server version 2.0.63 and I am > frequently asked about certain vulnerabilities such as those found in > mod_isapi, mod_proxy_ftp, mod_proxy_http, mod_proxy_ajp, mod_headers, etc. > > > > I claim that if those modules are NOT loaded by the httpd.conf file, > then the overall web server is not vulnerable. I feel this is common > sense, but I have not found any specific documentation from Apache other > than inferences such as one found on > http://httpd.apache.org/security/vulnerabilities_20.html regarding > CVE-2010-0425: > > > > “A flaw was found with within mod_isapi which would attempt to unload > the ISAPI dll when it encountered various error states. This could leave > the callbacks in an undefined state and result in a segfault. On Windows > platforms using mod_isapi, a remote attacker could send a malicious > request to trigger this issue, and as win32 MPM runs only one process, > this would result in a denial of service, and potentially allow > arbitrary code execution.” > > > > Could you please reply with a definitive statement that clearly proves > that when a specific module is not loaded, then the vulnerability within > that module cannot be exposed and the overall web server is not > vulnerable to attack.
Obviously. And I mean that definitively. Good reasoning :) But I'm afraid that with proliferation of "security scanners" that don't actually scan for any defect, but merely compare revision numbers to tables of know exploits, you won't win this argument.
