undefined | Better HN

0 pointscpncrunch3y ago0 comments

I assumed myself there must be a lot of root privilege vulnerabilities in Apache, but it appears there isn't a single one:

https://www.cvedetails.com/vulnerability-list.php?vendor_id=...

All the above seem to be in other Apache products. I think the fact that Apache doesn't run as root helps to mitigate these risks. Having said that, I have had a server compromised (about 20 years ago), through apache, suexec and a vulnerable cgi script, so I think it's best to be paranoid about security. I don't even see suexec on my current ubuntu 20.04 server (I used to just delete it).

0 comments

2 comments · 1 top-level

Aachen3y ago· 1 in thread

Don't get me wrong, I don't mean to recommend running ancient software and not caring about security! It was rather out of curiosity: for the past 20-something years, which is no guarantee for the future (especially with software getting more complex than ever), would there be a blanket issue if you follow best practices in general (like dropping ports in iptables if you don't need them), or is it only specific circumstances like if you use a found-to-be-vulnerable function like for filename sanitisation? I don't know of any blanket linux/apache compromises off the top of my head, but there very well might be some.

cpncrunchOP3y ago

From my perspective, there seems to be a lot more vulnerabilities found today than 20 years ago, so I don't think it's wise to have an unpatched 24 year old kernel or web server.

j / k navigate · click thread line to collapse