How safe is an Apache server on a company intranet from the hacks one
might have to worry about on the internet? I've got an
Apache/MySQL/PHP data system that I use on the company I work for's
intranet and was just curious what others thought the potential issues
or risks may be. TIA
Post removed (X-No-Archive: yes)
On Jun 21, 7:20 am, cover
> How safe is an Apache server on a company intranet from the hacks one
> might have to worry about on the internet? I've got an
> Apache/MySQL/PHP data system that I use on the company I work for's
> intranet and was just curious what others thought the potential issues
> or risks may be. TIA
by FAR the most vulnerable part of that will be the application code,
(PHP) - the code not written by the vendors of these peices of
software, but by your own staff and by third parties whose php
spftware you install to a deadline - if that has holes in it, you will
be able to rip into the heart of the intranet with ease, enumerate the
DBMS, grab others data/act as them, depending on the how "trusted" the
intranet is, all kinds of things. I notified my ISP (Zen Internet) of
a flaw in their .NET SSL "portal" months ago, the developer couldn't
see it, and wanted proof of concept I don't have time to give, the XSS
flaw is still there, albeit in modified form, you need someone other
than the developer to be in charge of looking over code because it
eases deadline and ego pressures. I wouldn't worry about Apache it is
the least of your concerns.
But the same goes for sites out on the internet, if they have web app
flaws, they can be used to launch attacks on you, and through your
browser and on to your intranet.... It's just a big ol' web out there
(meaning once you've plugged your computer in to a network)
As for Apache specifically, keep updating and its got a good
reputation. For more see secunia for various software security issues.
Thank you Sir... Appreciate the reply very much.
On Fri, 22 Jun 2007 03:17:21 -0700, shimmyshack
wrote:
>by FAR the most vulnerable part of that will be the application code,
>(PHP) - the code not written by the vendors of these peices of
>software, but by your own staff and by third parties whose php
>spftware you install to a deadline - if that has holes in it, you will
>be able to rip into the heart of the intranet with ease, enumerate the
>DBMS, grab others data/act as them, depending on the how "trusted" the
>intranet is, all kinds of things. I notified my ISP (Zen Internet) of
>a flaw in their .NET SSL "portal" months ago, the developer couldn't
>see it, and wanted proof of concept I don't have time to give, the XSS
>flaw is still there, albeit in modified form, you need someone other
>than the developer to be in charge of looking over code because it
>eases deadline and ego pressures. I wouldn't worry about Apache it is
>the least of your concerns.
>But the same goes for sites out on the internet, if they have web app
>flaws, they can be used to launch attacks on you, and through your
>browser and on to your intranet.... It's just a big ol' web out there
>(meaning once you've plugged your computer in to a network)
>As for Apache specifically, keep updating and its got a good
>reputation. For more see secunia for various software security issues.
On Jun 23, 5:24 pm, cover
> Thank you Sir... Appreciate the reply very much.
>
> On Fri, 22 Jun 2007 03:17:21 -0700, shimmyshack
> wrote:
>
> >by FAR the most vulnerable part of that will be the application code,
> >(PHP) - the code not written by the vendors of these peices of
> >software, but by your own staff and by third parties whose php
> >spftware you install to a deadline - if that has holes in it, you will
> >be able to rip into the heart of the intranet with ease, enumerate the
> >DBMS, grab others data/act as them, depending on the how "trusted" the
> >intranet is, all kinds of things. I notified my ISP (Zen Internet) of
> >a flaw in their .NET SSL "portal" months ago, the developer couldn't
> >see it, and wanted proof of concept I don't have time to give, the XSS
> >flaw is still there, albeit in modified form, you need someone other
> >than the developer to be in charge of looking over code because it
> >eases deadline and ego pressures. I wouldn't worry about Apache it is
> >the least of your concerns.
> >But the same goes for sites out on the internet, if they have web app
> >flaws, they can be used to launch attacks on you, and through your
> >browser and on to your intranet.... It's just a big ol' web out there
> >(meaning once you've plugged your computer in to a network)
> >As for Apache specifically, keep updating and its got a good
> >reputation. For more see secunia for various software security issues.
remember though any piece of powerful software (like apache) can be
misconfigured to release too much, my advice is to see the chapter of
the manual on apache security
http://httpd.apache.org/docs/2.2/misc/security_tips.html
and visit google for "Apache Hardening" to see a load of great
websites for good practise.