On Fri, 21 Sep 2001, Benjamin Scott <[EMAIL PROTECTED]> wrote: > On Thu, 20 Sep 2001, Karl J. Runge wrote: > > Consider what happen would if an "execute arbitrary commands" exploit in > > Apache httpd popped up. > > Then attackers would be able to execute arbitrary commands as the "nobody" > user, which has no access to anything on a proper system.
Agreed (and I said the above in my post). Even still it would be a COMPLETE MESS. The net would be swamped as it was with code-red IIS exploits and all vulnerable servers would be exploited within a few hours because apache is the most used webserver. (BTW this would require exploit in the core/default apache functionality to be as fast as code-red). Exploited websites would be easily defaced by the modified server (e.g. this could be done entirely in RAM). And what fraction of the 18 million apache servers are free from a local root exploit? (I know Ben's answer: 1 - the fraction that deserve to be 0wned :-) Apache is well designed and delivered, and the Unix model and practice is way better than Microsoft's. Still, I think there is some reasonable chance this sort of thing could happen to apache. Besides the mess, just the thought of the FUD marketing Microsoft would spew from widespread apache exploit makes me want to go start my own personal audit of httpd! ********************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **********************************************************
