From owner-freebsd-security Tue Apr 18 15:21:28 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id PAA21044 for security-outgoing; Tue, 18 Apr 1995 15:21:28 -0700 Received: from grendel.csc.smith.edu (grendel.csc.smith.edu [131.229.222.23]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id PAA20992 ; Tue, 18 Apr 1995 15:19:28 -0700 Received: from localhost (jfieber@localhost) by grendel.csc.smith.edu (8.6.5/8.6.5) id SAA23561; Tue, 18 Apr 1995 18:20:21 -0400 From: jfieber@cs.smith.edu (John Fieber) Message-Id: <199504182220.SAA23561@grendel.csc.smith.edu> Subject: Re: httpd - security problem? (question, not a statement) To: nc@ain.charm.net (Network Coordinator) Date: Tue, 18 Apr 1995 18:20:20 -0400 (EDT) Cc: freebsd-security@FreeBSD.org, freebsd-questions@FreeBSD.org In-Reply-To: from "Network Coordinator" at Apr 12, 95 07:18:43 pm Content-Type: text Content-Length: 701 Sender: security-owner@FreeBSD.org Precedence: bulk Network Coordinator writes: > I remember reading somewhere that there is a bug in a number of port 80 > daemons that would allow someone to gain root access remotely through it. > I know there is a bug when using httpd with Satan v1.0 (well, for as much > as a I trust CERT), but when not running Satan, is there any harm in > letting cern_httpd v3.0 run in standalone (full-time) mode [as root, no > less]. There was a bug in the NCSA http server which has since been fixed. I'm not currently aware of any problems with the CERN server. -john === jfieber@cs.smith.edu ================================================ =================================== Come up and be a kite! --K. Bush ===