From owner-freebsd-questions  Wed Apr 12 16:25:17 1995
Return-Path: questions-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id QAA00330
          for questions-outgoing; Wed, 12 Apr 1995 16:25:17 -0700
Received: from ain.charm.net (ain.charm.net [198.69.35.206])
          by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id QAA00307
          ; Wed, 12 Apr 1995 16:25:06 -0700
Received: (from nc@localhost) by ain.charm.net (8.6.11/8.6.9) id TAA00648; Wed, 12 Apr 1995 19:18:43 -0400
Date: Wed, 12 Apr 1995 19:18:43 -0400 (EDT)
From: Network Coordinator <nc@ain.charm.net>
To: freebsd-security@FreeBSD.org, freebsd-questions@FreeBSD.org
Subject: httpd - security problem? (question, not a statement)
Message-ID: <Pine.BSF.3.91.950412191639.621A-100000@ain.charm.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: questions-owner@FreeBSD.org
Precedence: bulk


I remember reading somewhere that there is a bug in a number of port 80 
daemons that would allow someone to gain root access remotely through it. 
I know there is a bug when using httpd with Satan v1.0 (well, for as much 
as a I trust CERT), but when not running Satan, is there any harm in 
letting cern_httpd v3.0 run in standalone (full-time) mode [as root, no 
less].

Any ideas on securing up a system would be greatly appreciated.

Thanks,

Jerry.