[imp] Apache SSL and Horde/IMP

Miroslaw Jaworski mjaw@ipartners.pl
Wed Oct 23 09:27:34 2002

Previous message: [imp] Re: [horde] Apache SSL and Horde/IMP
Next message: [imp] Apache SSL and Horde/IMP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Theresa M Peter (theresa@email.uc.edu) [021023 09:26] wrote:
> All-
> 
> I am in kind of a bind right now. How do I configure horde to use apache 
> without SSL support? Currently, we are using apache with SSL and 
> unfortunately we were hit with the Slapper worm, since we were using 
> openssl-0.9.6b-8 which is vulnerable.
> 
> Instead of rebuilding from scratch I was just hoping to shut down the 443 
> port which shuts down the vulnerability until I can rebuild from scratch 
> over a weekend. Unfortunately, anytime I do this instead of getting an HTML 
> page I get the PHP code showing up on screen.

Hi 

Read some detailed description of the Slapper Worm ( or analyze 
its code for yourself ) .

Shortly: Slapper spreads using APACHE HOLE ( chunk vulnerability in apache's
< 1.3.26 ) ) not the SSL HOLE. Apache hole allows Slapper to put 
malicious code on the server. THEN, this uploaded code is compiled with 
old buggy ssl library, which flaw is used to start a new "Slapper" daemon.

Disabling apache ssl won't change anything - by running old Apache on 80 
port you're still vulnerable ( anyone can place a code on your machine,
whether he uses ssl hole or any other local exploit ).
Definitely you shouldn't force users to send their passwords unencrypted
over the net, as it will happen when you force them to use non-ssl apache.

You should consider machine compromised and preapare a new one.

Regards

MJ.

-- 
Miroslaw.Jaworski@ipartners.pl  ( Psyborg )  MJ102-RIPE  Internet Partners
Server Administration Department Manager

Previous message: [imp] Re: [horde] Apache SSL and Horde/IMP
Next message: [imp] Apache SSL and Horde/IMP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]