lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: lumpy at the.whole.net (the lumpalaya)
Subject: ***INTERLAND*** 's default vps PROBABLY has
 REMOTE COMPROMISE vulnerability

Just curious -- did you make sure to account for the fact that lots of
people backport fixes so that version numbers dont always tell
you that something is exploitable?  (linux dists seem keen on this a lot).

>
> INTERLAND is the most popular web hosting corporation online - even
> bigger than VERIO - according to 3rd-party survey. INTERLAND's default
> vps PROBABLY has REMOTE COMPROMISE vulnerability. "PROBABLY" means i
> just checked the version # of apache, but have not exploited it yet.
>
> when i was planning to run my webapp on INTERLAND's web server, i found
> the server is running apache.1.3.22 and php4.0.x. after checking
> security record at httpd.apache.org AND php.net, i found both apache and
> php contain serious vulnerabilities:
>
> the most serious problem is critical: apache1.3.22 contains REMOTE
> COMPROMISE vulnerability:
>     Apache Chunked encoding vulnerability  CVE-2002-0392
>
> i created support ticket in my account, and waited for about 36 hours,
> but no one responded. then i closed the ticket. it looks like the
> support staff don't care for remote compromise - or too busy to fix it.
> so INTERLAND users must download and install apache themselves.
>
> for demonstration purpose, the following INTERLAND websites are running
> apache1.3.22
> 209.203.227.116,  209.203.227.115, 209.203.227.114
> 209.203.227.117 is an exception - it's my web server with apache1.3.32
> and php5 :-))))
>
> Regards,
>
> Liu Die Yu
> http://umbrella.name/people/liu.dieyu/
>
> UMBRELLA.NAME
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists