Questions tagged [apache]

Questions about the security of Apache open source software, especially Apache HTTP Server

The Apache Software Foundation maintain a number of open source software, notably including the Apache HTTP Webserver -

Apache has been the most popular web server on the Internet since April of 1996.

http://www.apache.org/

519 questions

votes

5 answers

Apache/Linux server, DoS attack from own IP

I have an unusual problem I've been trying to diagnose for a while: It's about a Debian server running a custom compile of apache 2.2 with PHP, Red5, MySQL 5.5 (standard binary), sendmail (distro version), and crashplan. Every other day I see a…

asked Feb 12 '13 at 18:25

Mantriur

votes

3 answers

FTP hacked, planted file

Can anyone help me to understand what this does? Someone has planted a file with this piece of code on my server.It is shortened because it cannot fit the question, but just to have some idea what could it be.

php virus apache ftp

asked Apr 09 '15 at 21:43

user72138

votes

4 answers

Is redirecting in htaccess providing enough security for sensitive pages?

I made files with MySQL database login details. Using .htaccess, I redirect every user from /Config/config.php to /index.php. I am wondering whatever this is secure enough - this means whatever is enough to stop users from viewing…

web-application apache xampp

asked Mar 05 '17 at 18:32

vakus

3,743
3
20
32

votes

1 answer

How to properly secure an ActiveMQ instance, and what are all of the different files for?

I'm trying to configure user based authentication for ActiveMQ, and I'm pretty confused about the many different files involved in this process. I've read ActiveMQ's security page, but I still have several questions. Just to be clear, my goals is…

authentication apache configuration

asked Aug 24 '16 at 20:10

Ryan Stull

votes

2 answers

Implications of Trace/Track Methods on Apache

When performing vulnerability scans using Nessus, against a host running Apache, one expected result is always "HTTP TRACE / TRACK Methods Allowed". While this result only has a base CVSS of 4.3, I always recommend that it be corrected. The fix is…

web-application known-vulnerabilities hardening apache

asked Sep 29 '11 at 12:54

Scott Pack

15,167
5
61
91

votes

5 answers

How to get an "A" on Qualys SSL Labs with Apache 2.2?

I've tried running Qualys' ssltest a few times and it keeps complaining that PFS isn't supported in some browsers. On their blog, they suggest a configuration for Apache 2.4 that should get an "A" grade in their ssltest, but the configuration…

tls apache

asked Mar 17 '14 at 14:58

Mark E. Haase

1,902
2
15
24

votes

3 answers

Is Apache vulnerable to CVE-2015-1781?

Is Apache vulnerable to CVE-2015-1781 (buffer overflow in the gethostbyname_r() family of functions)? How can I quickly check if a system of mine is secure?

apache

asked May 04 '15 at 08:55

chenwen2

votes

2 answers

Securing my web-server / website

Does anyone know of a comprehensive security guide about important basics / fundamentals which should be done to secure a web-server / website? A web link would do.

linux php webserver mysql apache

asked Jun 30 '11 at 14:39

oshirowanen

votes

1 answer

Very long HEAD request in server logs: What is the intention?

I'm getting logs like (using Apache server): 119.131.152.148 - - [20/Apr/2016:18:17:47 +0900] "HEAD…

apache

asked Apr 22 '16 at 01:27

lepe

2,184
2
15
29

votes

3 answers

Does the recommended course of action for preventing Logjam on Tomcat servers really eliminate all risks of weak DH keys?

Can anyone verify this fix secures against the Logjam vulnerability for Apache Tomcat? I'm sceptical about it's effectiveness, since it doesn't mention how to implement the user defined 2048 bit DH parameter file in Tomcat, but its cipher list does…

tls apache vulnerability tomcat logjam

asked May 21 '15 at 10:35

Casper

votes

1 answer

Logging out of Basic HTTP Authentication

As seen on https://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication, there are some interesting ways of logging out a user from Basic HTTP Authentication. Currently I'm sending an HTTP 401 to do so like…

authentication http apache

asked Sep 30 '14 at 19:00

rink.attendant.6

2,227
4
22
33

votes

4 answers

Combat Apache Killer

Three days ago, KingCope released a simple Perl script to DoS Apache, aptly named Apache Killer. This script launches about 50 threads to request Partial Content from the server with optional GZIP encoding. This either will consume too much memory…

webserver apache denial-of-service

asked Aug 23 '11 at 08:52

Nam Nguyen

1,450
12
14

votes

2 answers

url from another domain in my access log

Most of the time when I am looking for 404 errors in my access.log, I see attempts to access something like /phpMyAdmin/scripts/setup.php. This does not bother me so much, but few days ago I was surprised because I saw this in my…

logging apache

asked Aug 22 '13 at 21:24

Salvador Dali

1,745
1
19
32

votes

3 answers

Chrome does not show green bar with EV SSL but firefox and IE does

I just installed a EV SSL certificate on my server. It has been done correctly and is working, the issue is that Chrome does not show the company name in the green address bar, just shows the green padlock and green https:// like you get when you…

tls apache chrome

asked Jun 12 '13 at 14:01

Richard

votes

1 answer

Extracting openssl pre-master secret from apache2

I would like to be able to decrypt my server's https traffic for debugging and analysis. My server is a debian 9 Apache2 server running mod_wsgi and django. I have seen this post: Extract pre-master keys from an OpenSSL application and I figured out…

tls openssl apache decryption

asked Aug 15 '19 at 12:44

Yotam Alon

Prev 1 2

…

34 35 Next