Weak Security in Many Webservers: VNUnet

Navigation

User login

GWT in Practice at Manning
GWT in Practice at Amazon
GWT Resources

Unlocking Android at Manning
Unlocking Android at Amazon
Android Resources

Quote

Franklin D. Roosevelt

The issue of government has always been whether individual men and women will have to serve some system of government of economics â€” or whether a system of government and economics exists to serve individual men and women

Weak Security in Many Webservers: VNUnet

Thu, 09/07/2000 - 16:30 — charlie.collins

Many webservers are weak according to a recent VNUnet story, this isnt exactly news, but it is worth bringing up, again. OK, so it pretty much should go without saying, yet, even at the risk of being overly obvious, I am still saying.

Servers that are misconfigured and or running outdated or known flawed programs or code are a major problem. Misconfiguration is truly epidemic and is very often much more detrimental that an exploit. Exploits often use buffer overflows or know code problems and are a concern, but when a web user can simply use the browser for the attack and read the passwd file (which is very possible with many default Apache and or Apache PHP installations) or the SAM (of which is possible with a default IIS4 install, yes, this is true, it can be done) then the door is wide open without having to even go to the trouble of attempting a "real" exploit.

There are obviously two areas of BASIC concern, misconfiguration and true exploitation. Misconfiguration is all too often to blame for servers being "hacked." In fact you can often use popular search engines to find a myriad of credit card numbers, personal information, passwords and server specifics just by executing the right search. This works because countless servers put critical files somewhere in the docRoot (which is a critical mistake in configuration that is easily avoidable.) Servers and webservers are complicated and require knowledge to setup correctly, when ou click those buttons it means something, and if it is not understood there will be problems.

The first step is to have a good sysAdmin, sysAdmins are invaluable, no matter if you spend nil on the hardware and software or millions. If it is not properly setup and maintained, it is worthless because it could be taken down very quickly and or severe damage to data could occur. Secondly, and this is really ingrained in step 1, the server code and working code must be maintained to current levels.

There are many aspects to system and webserver security, but it is the basics that are often overlooked.

The recent VNUnet story is simply validation of that fact. The VNUnet story is specifically about SSL and servers using outdated SSL standards, weak keys and or self signed keys (very smart there.) These are all valid problems, but they are simply symptoms of the misconfiguration epidemic.

This is the tip of the proverbial security iceberg and IT decision makers need to start to realize the issues and value security and security personnel accordingly.

Check the link for details. Weak Security in Many Webserver: VNUnet