[imp] Apache SSL and Horde/IMP
Miroslaw Jaworski
mjaw@ipartners.pl
Wed Oct 23 09:27:34 2002
* Theresa M Peter (theresa@email.uc.edu) [021023 09:26] wrote:
> All-
>
> I am in kind of a bind right now. How do I configure horde to use apache
> without SSL support? Currently, we are using apache with SSL and
> unfortunately we were hit with the Slapper worm, since we were using
> openssl-0.9.6b-8 which is vulnerable.
>
> Instead of rebuilding from scratch I was just hoping to shut down the 443
> port which shuts down the vulnerability until I can rebuild from scratch
> over a weekend. Unfortunately, anytime I do this instead of getting an HTML
> page I get the PHP code showing up on screen.
Hi
Read some detailed description of the Slapper Worm ( or analyze
its code for yourself ) .
Shortly: Slapper spreads using APACHE HOLE ( chunk vulnerability in apache's
< 1.3.26 ) ) not the SSL HOLE. Apache hole allows Slapper to put
malicious code on the server. THEN, this uploaded code is compiled with
old buggy ssl library, which flaw is used to start a new "Slapper" daemon.
Disabling apache ssl won't change anything - by running old Apache on 80
port you're still vulnerable ( anyone can place a code on your machine,
whether he uses ssl hole or any other local exploit ).
Definitely you shouldn't force users to send their passwords unencrypted
over the net, as it will happen when you force them to use non-ssl apache.
You should consider machine compromised and preapare a new one.
Regards
MJ.
--
Miroslaw.Jaworski@ipartners.pl ( Psyborg ) MJ102-RIPE Internet Partners
Server Administration Department Manager