Weak Cipher Vulnerability On Apache Web Server
Apr 10, 2013
We are currently running ColdFusion 9 on an Apache server. After running a Webinspect scan for one of our web applications, a weak cipher vulnerability was flagged as critical. Their recommended change to the httpd.conf file is listed below. We made the change and restarted our server but the same vulnerability came up again. How to eliminate the weak cipher vulnerability?
SSLCipherSuite ALL:!aNull:!ADH:!eNull:!LOW:!EXP:!NULL:RC4+RSA:+HIGH:+MEDIUMÂ
View 3 Replies
ADVERTISEMENT
Jun 27, 2013
I am using plesk 11.0.9 and I want disable ssl anonymous authentication. A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm.
How I can disable anonymous authentication
Plesk apache + nginx running
View 2 Replies
View Related
Jul 8, 2015
After successfully changing to a fresh created dhparam pem and a reissue of my certificate all was well.
A couple of other things needed to be done so I followed the article: [URL] ....
nginxDomainVirtualHost.php was already present so the only thing I did was adding the ciphers I got from another site (ciphers that also gave me XP and IE8 support etc.)
After executing the httpdmng --reconfigure-all command I instantly got a error message:
Details: (timestamp) ERR [util_exec] proc_close() failed
(timestamp) ERR [panel] Apache config (14364042360.16209100) generation failed:
Template_Exception: nginx: [emerg] unknown directive "HIGH:!aNULL:!MD5"
[Code] .....
Why are "HIGH:!aNULL:!MD5" unknown directives? How can I merge:
ssl_ciphers
EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:
[Code] ....
into these these automatically created @domainname.conf files of all my sites without getting this error.
I'm hosting 5 sites, all 5 sites are down now because of the missing conf files.
View 9 Replies
View Related
Jul 15, 2008
Can anyone who is a security expert recommend the most secure option for choosing what type of "cipher" to use with our OpenVPN setup?
(I bolded the one I think might be best? Let me know what you think. We are currently using "BF-CBC", but I want to be sure it's not breakable...) ...
View 4 Replies
View Related
Jan 5, 2015
Recently i have upgraded my system to Plesk 12 and im loving it. After upgrading i started checking and fixing all my SSL shortcommings. I think i've come from a far end upgrading it.
One of the fixes was the poodle fix, wich recommended to upgrade cipher suites. When analysing my cipher suites at ssllabs testing suite i get the following errors:
TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK128
TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) WEAK128
RC4Yes WEAK
​I cannot find a way to remove the weak RC4 protocol and the other three weaknesses.
View 3 Replies
View Related
Aug 8, 2014
Yesterday we upgraded two of our servers to the latest Plesk 12.
The 1st server is an CentOS/CLoudlinux 6.x server and the 2nd an CentOS 5.x server.
Both of them were running Plesk 11.5 before the upgrade.
After the upgrade, we have the same issue in both servers which is that the START/TLS, SSL protocols at Courier imaps or pop3s do not work, and mail clients (outlook, thunderbird) return that the password is wrong when they connect over a secure connection.
In both of them, at the /var/log/maillog, we are getting the same messages, as the following one:
--------------------------------------------------------------------------
courier-imaps: couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
--------------------------------------------------------------------------
As the issue is in both server, we believe thath it there is a bug in the new version or the update script.
We have already checked all configurations which seem ok, tried to... reboot the machines, mailchk repair, but nothing seems to work.Â
View 1 Replies
View Related
Nov 18, 2008
This security flaw came to light at the end of October and I didn't find it posted already so thought it worth mentioning having tested the helpdesks for some sites that we use and found them to be at risk.
D
etails and a demo exploit URL can be found at url]
For anyone who doesn't know, XSS flaws that allow execution of arbitrary javascript can be exploited easily and without user knowledge to obtain information such as login details or session IDs. This could happen in various ways, including visiting an unrelated page with a simple URL that redirects to the vulnerable URL and then back again. Tools such as NoScript for FireFox may help protect against this on the client side.
View 9 Replies
View Related
Jan 14, 2007
A user is able to use WebShell.cgi:
[url removed]
In order to run commands from the /scripts folder. This is especially dangerous as a user can give an account reseller priviledge with full root access.
Because webshell.cgi is running with the uid/gid of apache, it can access all files which can be access with apache. And guess what.... the /scripts folder is one of them.
Because it's a CGI script, it doesn't seem as though there is an easy way to block this.
View 14 Replies
View Related
May 13, 2008
I am building a website which require a data feed from a third party data provider. I have to fill out a 'questionair' when submitting my application and I'm not sure what to put for this questions.
Question: "Have you run a vulnerability assessment of network security? What is the current assessment rating?"
I Google'd for security rating but came up blank, without any useful result. Is there a level like 1-5 or something for network security rating? I m not sure what to put on here.
I'm not against getting a shared/virtual hosting account if the a host could provide me with these ratings.
View 2 Replies
View Related
Mar 13, 2007
[url]
cPanel Multiple Local File Include Vulnerabilities
Bugtraq ID: 22915
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Mar 11 2007 12:00AM
Updated: Mar 12 2007 04:54PM
Credit: cyb3rt & 020 are credited with the discovery of these vulnerabilities.
Vulnerable: cPanel cPanel 10.9 build 134
cPanel cPanel 10.9 build 125
cPanel cPanel 10.9
View 2 Replies
View Related
May 2, 2008
Just came through on the RSS feeds...
Quote:
Several potential security issues have been identified with cPanel software and Horde, a 3rd party bundled application. cPanel releases prior to 11.18.4 and 11.22.2 are susceptible to security issues, which range in severity from trivial to medium-critical. Along with the discovery of these potential issues, cPanel has released a new security tool to provide users with protection from XSRF attacks.
Quote:
All STABLE and RELEASE users are strongly urged to update to their respective 11.18.5 release. CURRENT and EDGE users should update to the latest 11.22.3 release. No releases are deemed susceptible to severe, critical or root access vulnerabilities.
[url]
View 8 Replies
View Related
May 29, 2007
I'm wondering if this is true:
[url]
Something like:
[url]
View 2 Replies
View Related
Sep 16, 2007
Attacking multicore CPUs
[url]
[url]
"The Register reports that the world of current multi-core central processing units (CPUs) just entered is facing a serious threat. A security researcher at Cambridge disclosed a new class of vulnerabilities that takes advantage of concurrency to bypass security protections such as anti-virus software The attack is based on the assumption that the software that interacts with the kernel can be used without interference. The researcher, Robert Watson, showed that a careful written exploit can attack in the little timeframe when this happens, and literally change the "words" that they are exchanging. Even if some of these dark aspects of concurrency were already known, Watson proved that real attacks can be developed, and showed that developers have to fix their code. Fast..."
View 0 Replies
View Related
Oct 1, 2014
We have Plesk Panel 11.5 in Virtuozzo containers (Centos 6 x86_64) and we often provide to our customers the ssh access with chroot - /usr/local/ psa/ bin/chrootsh.All we know about Shellshock Vulnerability and we already installed all fixes to bash, but chrootsh-version is still vulnerable.Here are the results of BashCheck from [URL] ..... under chrooted user:
Vulnerable to CVE-2014-6271 (original shellshock)
Vulnerable to CVE-2014-7169 (taviso bug)
bashcheck: line 15: 19226 Segmentation fault bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer.Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug).Do you plan to release updates for chrootsh?
View 2 Replies
View Related
Apr 29, 2007
Code:
$ md5sum sim-current.tar.gz
6c1cece6f3af87598c4bdb09cabcb3cc sim-current.tar.gz
Line 25, file: sim-2.5-3/setup
Code:
TMPS="/tmp/sim_cj"
Line 399, file sim-2.5-3/install/sim
Code:
cat $TMPS >> /etc/crontab
If a local user creates a symlink to that file, then writes to the sim_cj file being linked to, as SIM is being installed, they can influence the contents of /etc/crontab.
Contacted the vendor via email on 04/17/07, email bounced.
Opened a ticket via their helpdesk ~5 days ago, no response.
Again, this is only an issue during the install, which is an extremely small window of time. Any bug that could lead to root access should be fixed, however.
View 0 Replies
View Related
Mar 7, 2008
An arbitrary file inclusion vulnerability has been discovered in the Horde
webmail application. At present, we can confirm that this security
vulnerability in question affects Horde 3.1.6 and earlier. Based on
incomplete information at this time, we also believe this affects Horde
Groupware 1.0.4 and earlier as well (cPanel does not use Horde Groupware
at this time).
cPanel customers should update their cPanel and WHM servers immediately to
prevent any chance of compromise. The patch will be available in builds
11.18.2 and greater (or 11.19.2 and greater for EDGE systems). The updated
builds will be available immediately to all fast update servers. The
builds will be available to all other update servers within one hour of
this posting.
To check which version of cPanel and WHM is on your server, simply log
into WebHost Manager (WHM) and look in the top right corner, or execute
the following command from the command line as root:
/usr/local/cpanel/cpanel -V
You can upgrade your server by navigating to 'cPanel' -> 'Upgrade to
Latest Version' in WebHost Manager or by executing the following from the
command line as root:
/scripts/upcp
It is recommended that all use of Horde 3.1.6 and earlier be stopped (on
cPanel and non-cPanel systems alike) until Horde updates can be applied.
You can disable Horde on your cPanel system by unchecking the box next to
'Server Configuration' -> 'Tweak Settings' -> 'Mail' -> 'Horde Webmail'
within WHM, and saving the page with the new settings.
View 14 Replies
View Related
Oct 7, 2014
I have a -I think- common issue, one external server available from internet and an internal server for local only.
I want that to ask for [URL] ....
I can get the content of an internal server. For this I tried this at httpd.conf:
Redirect /site http://in.ter.nal.ip/site
but browser changes to internal IP and obviously I can't reach it.
So, I need that when external server detects that I want to see internal server content, it ask to internal and external itself answers.
View 2 Replies
View Related
Jun 8, 2014
I have Apache 2.2.26 running on OS X 10.9.3.My situation is that I consistently get an error that client denied by server configuration when accessing /server-status.
View 1 Replies
View Related
May 6, 2008
I've some issues with Server API set to Apache. Wordpress PHP include widgets doesn't load at all, script similar to this:
PHP Code:
$fp = @fsockopen("domain.com", "80",$errno, $errstr,
$timeout="5");
if($fp) { require...
shows blank page, once I click "mark as spam' in Wordpress, it gives me default page cannot load browser error (found that many people experiencing this with mod_security enabled, but I have this one disabled) and few other problems.
Does anyone know any differences between Server API set to CGI instead Apache which could cause those problems?
View 5 Replies
View Related
Mar 26, 2008
installing apache and IIS on the same server (windows 2003) using different IP addresses.
Could anybody advise me on whether this a bad thing to do or is there anything I should consider before I do this?
View 5 Replies
View Related
Dec 17, 2007
I've just setup an apache web server on my Windows Vista machine. The purpose of this webserver is to provide my LAN with a PHP based client database program.
I've finally got everything working (including Apache 2.2.6, MySQL 5, PHP 5 and SSL). The only issue now is that when I go to a website (on the net) that has a secure page, for some reason, my localhost/apache server is trying to authenticate the SSL certificate. As a result I am getting a window pop up saying that the certificate for 192.168.1.100 does not match the domain name of the website being contacted, would I like to continue.
I know that it is a problem with my webserver configuration because if I turn it off and contact the site, everything works fine (no error messages). Once I re-start the apache server, I get the error messages again.
I don't know if it matters, but, the SSL certificate used on my server was created by myself with openssl.
View 0 Replies
View Related
Mar 21, 2007
Can i configure a ftp server using apache on windows?
If yes then how can i do that?
View 0 Replies
View Related
Jun 10, 2009
Not sure if this is an Apache issue but I'm guessing it is. I also have cPanel on this server.
I made a PHP script and placed it on my server. This script has a function that will create a new file on the server, say a .txt file with information in it. When I go to do anything with that file that is created such as edit it, I get a permission denied from the server.
For example, FTP returns:
"Response: 550 Rename/move failure: Permission denied. "
Someone guessed that it is possible that when the PHP file is creating a new file on the server, it automatically places its permissions under root/apache, making it inaccessible for the cPanel user... if this were the case how could I potentially solve this issue?
View 5 Replies
View Related
May 2, 2009
I just restarted the Apache Server, because my server was using 4GB out of physical memory and 1.5GB out of 2GB swap memory.
This is happening while Apache is only processing 3 requests per second and the server specifications are huge overkill. Dual Xeon E5420 SuperMicro Barebone with 4GB DDR2 ECC fully buffered Memory.
I have problems finding the reasons to the leak. I have restarted the apache server so I cannot provide top and server-status information, until the next memory problems.
I have seen 50 httpd pid's in top (could be more) with 250mb per process. Pretty huge. While that specific pid in /server-status was only serving e.g. a 1kg image.
Code:
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 120
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive Off
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15
##
## Server-Pool Size Regulation (MPM specific)
##
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# ServerLimit: maximum value for MaxClients for the lifetime of the server
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
StartServers 24
MinSpareServers 5
MaxSpareServers 100
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 4000
</IfModule>
# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
StartServers 8
MaxClients 1500
MinSpareThreads 125
MaxSpareThreads 750
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
View 5 Replies
View Related
Jun 24, 2009
I recently had to move my site from Linux to Windows hosting because I was adding an application that requires ASP.NET. The problem is the server that it uses (Windows iis) makes other parts of my site not work.
So my programer recommended using an Apache server with my Windows VPS (or hosting - I have no specific preference of either VPS or hosting) -
Does anyone know a hosting company that does this? Offers Windows hosting with an Apache server?
View 1 Replies
View Related
Apr 17, 2009
I am trying to host an apache web server on my xp home edition but i am running into a few problems. First off i purchased a domain name of "hollingsworthsolutions.com".
I am using zoneedit for my name servers:
primary: ns15.zoneedit.com 69.10.134.195 and
secondary: ns9.zoneedit.com 66.240.231.42.
My ISp blocks port 80 but apparently there is a simple work around by utilizing a Web Forward so i am using the following information per their guide:
hollingsworthsolutions.com [url]
[url] [url]
And my IP address on their site is configured as ww2.hollingsworthsolutions.com which points to 148.100.213.142
The following is a copy paste of my httpd.conf file
---------------------------------------------------------------
ServerRoot "C:/Program Files/Apache Software Foundation/Apache2.2"
Listen 5000
ServerName hollingsworthsolutions.com
DocumentRoot "C:Documents and SettingsDeadalusDesktophtdocshollingsworthsolutions"
<Directory />
Options FollowSymLinks
AllowOverride none
Order deny,allow
Allow from all
</Directory>
<Directory "C:Documents and SettingsDeadalusDesktophtdocshollingsworthsolutions">
Options Indexes FollowSymLinks
AllowOverride None
Allow from all
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
# Example:
# Redirect permanent /foo http://www.hollingsworthsolutions.com/bar
<Directory "C:Documents and SettingsDeadalusDesktophtdocshollingsworthsolutions">
Options FollowSymLinks
AllowOverride none
Order allow,deny
Allow from all
</Directory>
<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
AllowOverride none
Options None
Order allow,deny
Allow from all
</Directory>
<VirtualHost 148.100.213.142:5000>
DocumentRoot "C:Documents and SettingsDeadalusDesktophtdocshollingsworthsolutions"
ServerName ww2.hollingsworthsolutions.com
</VirtualHost>
----------------------------------------------------------------
Port 5000 is open in my firewall. Also when i enter www.hollingsworthsolutions.com into my browsers url it does indeed attempt to redirect me... That being said I have tried almost everything for people from the internet to access my page,
View 3 Replies
View Related
Jun 7, 2008
ive created myself a little test site and i mananged to host it with a server thats sitting behind a nat router by forwarding port 80 to it, this site can be accessed from outside my home network by entering the ip address of my router into internet explorer.
then i create myself a free host at no-ip.com and i used the .servegame.com option so its MySite.servegame.com.
it succesfully resolves to my ip becuese when i ping it from the wndows command line it pings the IP of my router.
but for some reason it cant be used to acces my site through a web browser.
the only thing i can think of is that it has somehhing to do with the "domain name" and "server name" fields that you have to fill in while installing apache although no matter what i put into those fields i can stil access my site using my routers IP.
View 1 Replies
View Related
Sep 8, 2007
Is anyone have a ebook or article about secure linux server and apache .
I want to secure own server and my vps customer
my linux system : Centos
also i have cpanel control panel
View 3 Replies
View Related
Apr 16, 2007
I have two servers, one for apache hosting a vbulletin forum, and another one for hosting its database.
Sometimes, I get very high load on the Apache server (>300) and the server stops responding. As a result, I have to stop apache in order to reduce the load and then start it again.
when I query the number of online users using this command:
Code:
netstat -an | grep : 80 | wc -l
I get about 1500 to 2000
but in the forum statistics, the number of online users is more than 5000. I already made sure that there are no DoS or DDoS attacks.
This is the specs of my apache server:
CPU: GenuineIntel Intel(R) Pentium(R) D CPU 3.40GHz
RAM: 2 GB
Server OS: CentOS 4.4
Apache Version: 1.3.37
and here is my httpd.conf:
Code:
ServerType standalone
Timeout 15
KeepAlive On
MaxKeepAliveRequests 200
KeepAliveTimeout 15
MinSpareServers 10
MaxSpareServers 15
StartServers 10
MaxClients 500
MaxRequestsPerChild 0
Is there anyway by which I can optimize my server for better performance and less load?
View 12 Replies
View Related
Mar 13, 2007
I am trying to decide which suits more server that is running apache and emails just, as mysql is on another server.
Dual Processor Dual Core Xeon 5140 - 2.33GHz (Woodcrest) - 2 x 4MB cache
Dual Processor Quad Core Xeon 5310 - 1.6 GHz (Clovertown) - 2 x 8MB cache
Both are close in price.
View 0 Replies
View Related
Jan 16, 2007
i have set up an apache server on the redhat CentOS 4.2.my apache server is running very slow. will u pls tell me which parameters do i need to check for this problem? which parameters do we check for monitering the apache server?
View 0 Replies
View Related
