• Terrasque@infosec.pub
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    1
    ·
    20 hours ago

    uh… So that’s it, the apache server version? That’s all? I looked at the critical cve’s for that version, and honestly, they’d require a pretty specific setup to be abused if I understood them correctly. Most of them were various DoS with no information disclosure, and the only spooky one I saw require the server to have scripts the server is allowed to execute, but outside of the normal url mapping. Which then would have to be disclosing some info or doing something spooky. The rest seem to require the attacker to control the app behind the apache2 server.

    Would be better to upgrade, of course, but it looks nowhere near as bad as the blog author makes it sound.

    • unexposedhazard@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      edit-2
      20 hours ago

      The actual vulnerability doesnt matter, its the way the guy handled it and keeps handling everything. He is just not mentally and technically equipped to run a project like this. He is completely out of his depth.

      The only thing he should be doing is publishing his source code and handing the project over to people that know how to deal with things like this. But he just really wants to play the hero instead of actually making sure that people can effectively avoid ICE.