http://www.apache-asp.org/
djs:
Apache has been exploited by hackers.
IMO, IIS can be made reasonably secure if a user will take the time
to learn about IIS, it's security settings, and the host op system's
security settings (XP, Win2k, Win2k3). And, if the user will stay
current on MS's updates for both IIS and the host op system.
Apparently, many IIS users are not willing to do that, and they then
declare IIS as the problem.
Of course, Apache isn't perfect, either. But I don't remember Gartner
recommending against using it:
"Gartner recommends that enterprises hit by both Code Red and Nimda
immediately investigate alternatives to IIS, including moving Web
applications to Web server software from other vendors, such as iPlanet
and Apache. Although these Web servers have required some security
patches, THEY HAVE MUCH BETTER SECURITY RECORDS THAN IIS
and are not under active attack by the vast number of virus and worm
writers. Gartner remains concerned that viruses and worms will continue
to attack IIS until Microsoft has released a completely rewritten,
thoroughly and publicly tested, new release of IIS."
http://www3.gartner.com/DisplayDocument?doc_cd=101034
Don't have your head in the sand. Apache is BY FAR the most-used HTTP
server on the Internet today. Yet have you heard of any "Code Red" type
of widespread attacks against it? I guess that shoots down the whole
stupid "Microsoft is a target because it's the most popular" hypothesis.
[/QUOTE]
Geee that wouldn't be anything like oh say... Linux.Slapper.Worm, and it's
varients like Linux.Slapper.B.Worm, Linux.Slapper.C.Worm that uses an OpenSSL
buffer overflow exploit to run a shell on a remote computer. -- Gee I believe
Microsoft fixed that kinda thing in IIS way before the oh so smarter Linux
group corrected it. Or need I mention ahh well FreeBSD.Scalper.Worm which uses
the Apache HTTP Server chunk encoding stack overflow vulnerability to spread
itself. Gee, and remind me how long has Apache been allowing remote users to
view source script code and traverse directories? That was fixed... what way
back around IIS 2.0, and I hope you won't say that isn't a security problem or
maybe they just have their "head in the sand" on that one. Say what about a
vulnerability with in the mod_auth_any Apache module, which occurs due to
insufficient sanitiziation of user-supplied arguments -- imagine that, what a
surpise -- and as a result, it's possible for an attacker to execute arbitrary
commands, by placing shell metacharacters within an argument. Oh, and the good
point, all commands executed in this manner would be run with the privileges of
the Apache HTTPD server, which in all like hood given the oh so secure Apache
would give attacks the keys to the kindom. Then there's the vulnerable CGI
scipts policy of Apache, the scripts have possible exploits that will give
users unauthorized access or heightened privileges on Apache Web Servers.
Need I mention, say Linux.Jac.8759, Linux.Simile, Linux.Svat, Linux.Hyp.6168,
Linux.Lion.Worm, Linux.Ramen, etc, etc...
Why doesn't any of this not make news when it happens to Apache/Linux and does
when it happens to Microsoft? Because, "Microsoft is a target because it's the
most popular".
But last an most important to me, does Apache run ASP pages? No, it doesn't...
hence I have no interest in it.
