Apache Server on an Intranet
This is a discussion on Apache Server on an Intranet within the Apache Web Server forums, part of the Web Server and Related Forums category; How safe is an Apache server on a company intranet from the hacks one might have to worry about on ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-21-2007
|
|||
|
|||
Apache Server on an Intranet
How safe is an Apache server on a company intranet from the hacks one
might have to worry about on the internet? I've got an Apache/MySQL/PHP data system that I use on the company I work for's intranet and was just curious what others thought the potential issues or risks may be. TIA |
|
06-22-2007
|
|||
|
|||
|
Re: Apache Server on an Intranet
On Jun 21, 7:20 am, cover <coverlandNOSPAM...@yahoo.com> wrote:
> How safe is an Apache server on a company intranet from the hacks one > might have to worry about on the internet? I've got an > Apache/MySQL/PHP data system that I use on the company I work for's > intranet and was just curious what others thought the potential issues > or risks may be. TIA by FAR the most vulnerable part of that will be the application code, (PHP) - the code not written by the vendors of these peices of software, but by your own staff and by third parties whose php spftware you install to a deadline - if that has holes in it, you will be able to rip into the heart of the intranet with ease, enumerate the DBMS, grab others data/act as them, depending on the how "trusted" the intranet is, all kinds of things. I notified my ISP (Zen Internet) of a flaw in their .NET SSL "portal" months ago, the developer couldn't see it, and wanted proof of concept I don't have time to give, the XSS flaw is still there, albeit in modified form, you need someone other than the developer to be in charge of looking over code because it eases deadline and ego pressures. I wouldn't worry about Apache it is the least of your concerns. But the same goes for sites out on the internet, if they have web app flaws, they can be used to launch attacks on you, and through your browser and on to your intranet.... It's just a big ol' web out there (meaning once you've plugged your computer in to a network) As for Apache specifically, keep updating and its got a good reputation. For more see secunia for various software security issues. |
|
06-23-2007
|
|||
|
|||
|
Re: Apache Server on an Intranet
Thank you Sir... Appreciate the reply very much.
On Fri, 22 Jun 2007 03:17:21 -0700, shimmyshack <matt.farey@gmail.com> wrote: >by FAR the most vulnerable part of that will be the application code, >(PHP) - the code not written by the vendors of these peices of >software, but by your own staff and by third parties whose php >spftware you install to a deadline - if that has holes in it, you will >be able to rip into the heart of the intranet with ease, enumerate the >DBMS, grab others data/act as them, depending on the how "trusted" the >intranet is, all kinds of things. I notified my ISP (Zen Internet) of >a flaw in their .NET SSL "portal" months ago, the developer couldn't >see it, and wanted proof of concept I don't have time to give, the XSS >flaw is still there, albeit in modified form, you need someone other >than the developer to be in charge of looking over code because it >eases deadline and ego pressures. I wouldn't worry about Apache it is >the least of your concerns. >But the same goes for sites out on the internet, if they have web app >flaws, they can be used to launch attacks on you, and through your >browser and on to your intranet.... It's just a big ol' web out there >(meaning once you've plugged your computer in to a network) >As for Apache specifically, keep updating and its got a good >reputation. For more see secunia for various software security issues. |
|
06-25-2007
|
|||
|
|||
|
Re: Apache Server on an Intranet
On Jun 23, 5:24 pm, cover <coverlandNOSPAM...@yahoo.com> wrote:
> Thank you Sir... Appreciate the reply very much. > > On Fri, 22 Jun 2007 03:17:21 -0700, shimmyshack <matt.fa...@gmail.com> > wrote: > > >by FAR the most vulnerable part of that will be the application code, > >(PHP) - the code not written by the vendors of these peices of > >software, but by your own staff and by third parties whose php > >spftware you install to a deadline - if that has holes in it, you will > >be able to rip into the heart of the intranet with ease, enumerate the > >DBMS, grab others data/act as them, depending on the how "trusted" the > >intranet is, all kinds of things. I notified my ISP (Zen Internet) of > >a flaw in their .NET SSL "portal" months ago, the developer couldn't > >see it, and wanted proof of concept I don't have time to give, the XSS > >flaw is still there, albeit in modified form, you need someone other > >than the developer to be in charge of looking over code because it > >eases deadline and ego pressures. I wouldn't worry about Apache it is > >the least of your concerns. > >But the same goes for sites out on the internet, if they have web app > >flaws, they can be used to launch attacks on you, and through your > >browser and on to your intranet.... It's just a big ol' web out there > >(meaning once you've plugged your computer in to a network) > >As for Apache specifically, keep updating and its got a good > >reputation. For more see secunia for various software security issues. remember though any piece of powerful software (like apache) can be misconfigured to release too much, my advice is to see the chapter of the manual on apache security http://httpd.apache.org/docs/2.2/mis...rity_tips.html and visit google for "Apache Hardening" to see a load of great websites for good practise. |
Linear Mode
