qmail toaster for centos 6.x

Lisa Kachold lisakachold at obnosis.com
Sun Jun 2 05:27:03 MST 2013


Eric,

On Sat, Jun 1, 2013 at 7:23 AM, Eric Shubert <ejs at shubes.net> wrote:

> On 05/31/2013 05:41 PM, Lisa Kachold wrote:
>
>> Nginx has some pretty serious security issues, so be sure that you
>> implement it with all the patches and complete recommendations:
>>
>> http://nginx.org/en/security_**advisories.htmlÂ<http://nginx.org/en/security_advisories.html%C3%82>
>>
>
> The current version in CentOS4 is not susceptible to any of these
> vulnerabilities. Good to check though.


Yes, Shubes! Don't even blink!  Every day another exploit is announced!
 excerpts:
Anonymous hackers behind the Cdorked malware that targets Apache servers
now have extended their exploit to infect open-source Nginx and Lighttpd
server software.
http://blog.solidshellsecurity.com/2013/04/29/nginx-ngx_http_close_connection-function-integer-overflow-exploit-patch/
This integer overflow fails over so you can do just about whatever you
like; especially with the right tools:

http://exploitsdownload.com/search/nginx/

Old stuff from 2010: "A noobs guide to hacking Nginx"
http://hoisie.com/2010/12/29/a-cool-example-of-hacking-nginx/

Nginx Tuesday announced the release of nginx-1.4.1 <http://nginx.org/en/> --
as well as "development version" nginx-1.5.0 -- to fix a buffer-overflow
vulnerability that attackers could exploit to execute arbitrary code on a
Ngnix server and completely compromise it. In a security
advisory<http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html>
issued
Tuesday, Nginx said the
bug<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028> is
present in Nginx versions 1.3.9 and 1.4.0. "The problem is fixed in nginx
1.5.0 [and] 1.4.1," it said.

Yes, installing from repo (with Redhat/CentOs/Fedora and uBuntu) means that
if a vulnerability exists with a patch available, the Nginx installed is
going to include that security fix.

CentOs/Redhat (and Ubuntu) are so fast with fixing vulnerabilities ( and
the Nginx security issues are all the standard browser stack vulns (stack
smash, XSS, remote code execution, escalated privs).    Of course there are
also a few implementation security issues - that seem like nice hacks on
the front side until - well, your site is defaced:
http://www.theadminzone.com/forums/showthread.php?t=99536

It's really rather outrageous that Apache has dominated this space for so
long, when slimmed down httpd servers and reverse proxies do the job so
much better, especially in 3/4 tiered environments with J2EE, is it not?

Nginx:

http://blog.solidshellsecurity.com/2013/04/29/nginx-ngx_http_close_connection-function-integer-overflow-exploit-patch/

I personally still favor the custom compiled Apache2 with vastly scaled
down binary size (dynamic module stripping) and custom server signature
 [replacing "Apache2 $version" with "$customstring $version" which IS
allowed under the Apache2 license]  (to reduce fingerprinting - and
therefore also limit script kiddies - if we can't mitigate everything let's
obfuscate!.

>
>
> --
> -Eric 'shubes'
> ------------------------------**---------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.**org<PLUG-discuss at lists.phxlinux.org>
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/**mailman/listinfo/plug-discuss<http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>



-- 

(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com <http://it-clowns.com/d/>
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20130602/251d1fdb/attachment.html>


More information about the PLUG-discuss mailing list