IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [apache]

Questions about the security of Apache open source software, especially Apache HTTP Server

The Apache Software Foundation maintain a number of open source software, notably including the Apache HTTP Webserver -

Apache has been the most popular web server on the Internet since April of 1996.

http://www.apache.org/

519 questions
0
votes
1 answer

What L7 traffic patterns can make it easier DoS an Apache web server?

We have a single JMeter HTTP load generator that we use to capacity test our web service (running Django + mod-wsgi + Apache)? If we want to modify the traffic generated to DoS our web service, what are the most effective changes that we can make…
Jedi
  • 3,906
  • 2
  • 24
  • 42
0
votes
1 answer

Apache server compromised with apache backdoor redirect referer

Everytime when I try to access my website it got redirected to some malicious spam site, after lots of search I came across term apache backdoor redirect referer,I have root access of cpanel and whm. Need some help in removing this exploit from…
user3456217
  • 1
0
votes
2 answers

Flooded with apache2 processes

It seems that I've being flooded with requests to my websites, which is very strange, I only use my server for private use, I can only assume that who ever is doing this has a bad motive. This is happening on an Ubuntu server. Things so bad that the…
mk_89
  • 621
  • 1
  • 6
  • 5
0
votes
1 answer

Apache: Can I revoke certain client certificate on certain subdomain only

I would like to know if we can make the client certificate valid for certain sub domain (Virtual Host). For example if I have two client certificate A, B. A is valid for subdomainX but not for subdomainY. B is valid for subdomainY but not for…
Nap
  • 265
  • 2
  • 7
0
votes
1 answer

Apache Mod_Proxy Remote Negative Content-Length Buffer Overflow Vulnerability

We have a Windows Server 2012 R2 running Apache 2.2.27 and Apache tomcat8 version 1.0.15.0. Can you guys shed a few words on what the vulnerability is and also how to re-mediate this with the two versions that we are running in our environment.
gsb005
  • 111
  • 2
  • 4
  • 7
0
votes
1 answer

File inclusion on a website always appending .php

I'm looking at a website that uses a URL parameter to include the current page, like http://host.tld/index.php?page=about. If I add anything other than the current page (e.g. http://host.tld/index.php?page=test) it reflects the parameter, added with…
SaAtomic
  • 989
  • 2
  • 15
  • 27
0
votes
0 answers

Why does OWASP modsecurity block remote file inclusion for ?& in URL for Rule 950119

OWASP modsecurity rule 950119 for Remote File inclusion blocks the following URL: https://mydomain.com?myparam=http://mysite.com?¶m2=abcd What's the issue with having ?& in an URL causing it to block ??
Novice User
  • 2,088
  • 7
  • 26
  • 38
0
votes
2 answers

DNS Spoof saves IP to Domain Name after attack is finished, Is there a way to stop this?

As I understand after a Domain Name is resolved to a specefic IP through DNS www.example.com resolves to 10.10.10.10, this cache is saved in RAM in a computer for a little bit, AKA five or so minutes. (Note: Correct me if I'm wrong) So, when I DNS…
Creg
  • 71
  • 3
0
votes
1 answer

Testing Digital signature on an incoming request via Apache

I am creating an API endpoint that receives payload from a third party. The third party is signing the request with there X509 Certificate(Private Key). I have been provided with their Public Certificate. How do I verify that the incoming request…
Richa Sinha
  • 101
  • 1
0
votes
2 answers

Permissions for .htaccess file that needs to be modified by sister application?

The .htaccess in our application has 777 permissions because a sister application needs to write to it. Could you confirm that htaccess with 777 permissions is bad for security and if so what a more secure alternative would be. I was thinking if the…
xylar
  • 103
  • 1
  • 3
0
votes
1 answer

Mod_security rules-updater.pl fails to pull new release

Mod_security has a rules updater distributed with their release packages on sourceforge: http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/ Usually, you can run the script and modsec will update the rules for you. However,…
Jason Huntley
  • 101
  • 2
0
votes
1 answer

Is it secure to show admin pages only on certain host?

I have public website with no database (with static content). I have one admin page, which allows to edit static content. I want to use that page only when website is on my local computer but not when it's uploaded to hosting server. Is it safe to…
Somnium
  • 105
  • 4
0
votes
0 answers

What's the worst implication of this apache configuration issue?

The following error message appears when I start apache2: apache2: Could not reliably determine the server's fully qualified domain name, using 10.168.103.11 for ServerName What's the worst thing that becomes possible due to this misconfiguration,…
Parthian Shot
  • 861
  • 2
  • 10
  • 18
0
votes
1 answer

Is there an original information source linking output of Qualys SSL report to settings in nginx and Apache configurations?

The online tool at Qualys for testing webserver SSL configurations, https://www.ssllabs.com/ssltest/index.html, produces a list of codeslike TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA etc. There are a lot of howtos on…
vfclists
  • 115
  • 4
0
votes
1 answer

What is the most valuable file you can get using a directory traversal hole

I am doing a penetration test and I found a directory traversal hole in the web application which enables me to download any readable file in the server. However, I could only download files that is readable by www-data(apache2) user (e.g. the file…
n3v3rm03
  • 143
  • 3
1 2 3
34 35