Collaborate Disseminate
Are htaccess rules executed before modsecurity rules?
Sending illegal requests to couple of domains some of them trigger modsecurity but some of them with same illegal requests are not showing modsecurity forbidden message b… Continue reading Apache modsecurity and htaccess which comes first? [migrated]
I am working on web-app and was hoping to get some security threat perspective from folks here. I am trying to identify all the potential threat vectors so I can secure them. I am too close to the problem to trust my instinct… Continue reading security considerations/issues for web-app where apache has sudo as user access
I am running Ubuntu 16.04 LTS and checking dpkg -l apache2
gives me version 2.4.18-2ubuntu3.9.
How do i know that 2ubuntu3.9 has the latest security patches listed here at https://httpd.apache.org/security/vulnerabilities_24… Continue reading How do i know if my ubuntu apache version is secure?
I often establish Ubuntu-LAMP environments on which I host a few Drupal web applications that I myself own (I don’t provide any hosting services and never done so in the past).
Whenever I establish such an environment, the m… Continue reading Should I close port 80 forever and ever since the 2018 Google-indicated web-security initiatives?
Forgive my rudimentary understanding of server security, but one thing I’ve always struggled with was understanding how to setup chroot to separate folders (which are discrete WP installations) in a /var/www directory. There … Continue reading Containerization vs. Chroot in shared hosting
I have a node.js environment deployed using AWS Elastic Beanstalk on an Apache server. I have run a PCI scan on the environment and I’m getting 2 failures:
Apache ServerTokens Information Disclosure
Web Server HTTP Header I… Continue reading AWS Load Balancer Response Header Apache Server Disclosure
Cisco accidentally released Dirty Cow exploit code, Apache Struts Vulnerabilities, Zero Day exploit published for VM Escape flaw, Spam spewing IoT botnet infects 100,000 routers, and some of these vibrating apps turn your phone into a sex toy! PaulR… Continue reading Apache, Dirty Cow, & Edge – Paul’s Security Weekly #582
The team that develops the Apache Struts framework is alerting users of a critical vulnerability that could allow remote code execution attacks. The Apache Foundation urged developers to update a key component of the framework in order to patch the flaw in an alert posted Monday. Projects using Struts 2.3.36 and prior are affected, Apache said, because of a vulnerable commons-fileupload library. The up-to-date version already uses the latest component. Developers need to update in order to use the latest version of the commons-fileupload library in order to “prevent your publicly accessible web site from being exposed to possible Remote Code Execution attacks,” the Apache team said. Such an attack would allow hackers to potentially take over an unsuspecting developer’s server and install malware. “Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload,” the warning said. The […]
The post Apache alerts developers of remote code execution flaw appeared first on Cyberscoop.
Continue reading Apache alerts developers of remote code execution flaw
Remember how an unpatched flaw in Apache Struts caused one of the biggest data breaches in history? It could happen again, if those using Apache Struts versions 2.3.x or lower fail to replace a file-upload component with a newer version. Apache release… Continue reading Equifax nemesis Apache Struts found vulnerable to 2-year old unpatched flaw; workaround available
Users must update their vulnerable libraries manually. Continue reading Apache Struts Warns Users of Two-Year-Old Vulnerability