Menu
▾
▴
Re: [IPCop-devel] IPCop v0.0.9 release
|
From: Gareth <gi...@me...> - 2001-12-31 10:31:18
|
> > > > > To my mind the recent IIS exploits prove that people generally dont > > > > > update their servers to the appropriate patch level, which > > > > > generally leaves the machines open to abuse. They spend time > > > > > ensuring it is safe, and once it > > Remember that the exploit never checked the HTTP headers but just attacked > any host. Same goes for most other HTTP exploits. It's mostly useless to > change the headers. Besides, we're probably going with a non-standard > webserver on the next release. > http://www.acme.com/software/mini_httpd/ > Source is only 35KB :-) > Very true, but that is related to the fact that the worms were not particularly clever in their attack scenarios, and they plain blasted verything. My point was more to the fact that people didnt update their servers. Now if you take "Whisker" for example and use it against an IIS server that exposes the M$ Servername it runs through a ton of checks, if the Servername is missing it doesnt actually check anything at all. This is a blatantly a bug with Whisker (that I reported to RainForest) but it shows that the 'information' we give out can be used against us :-) Also most of the Apache logs were not touched as most are configured to be virtual hosting features that most have turned on, and as such using the IP address as the web address to connect the machine wont work. So anything will an HTTP accelerator (ISA/Apache/Squid)/or virtual hosting solution were not touched by the recent worms as the worm couldnt connect to the server. As far as mini_httpd goes how much exposure has this had compared to Apache? Presumably since the source is so small we could audit it, and report any issues with it. On an related note does mini_httpd support upload? I quickly scanned the source and didnt notice that in there (not it say its not), I presume you already have a working version at home :-) > > That is why the update is not automated. The user should ALWAYS decide > for > > themselves what they want to do. Normally, however, I would see us > > informing all registered users of updates. The registration is optional > of > > course and only so that they can better assist us and themselves in the > > future. > > Subscribe to IPCop-announce. I will only send announcements there from now > on. We should state this clearly on the webpage though. Definitely! |