This week I was experimenting with locking down Apache to avoid a particular vulnerability that a hacker may want to have some fun with. With a bit of research, I found a very cool third-party firewall for Apache that can be used to close this vulnerability — I’ll blog about this firewall another time. We built the module from source, installed it and then applied the lock down…I couldn’t wait to try it out….I tried a very simple example of the vulnerability, the simplest I could think of. IT DIDN’T WORK!!! What did I do wrong? I checked, double-checked and triple-checked the configuration applied to prevent the vulnerability: there were no errors my side. With a bit more research, I found out that there was a problem: the latest release of the third-party component did not prevent the vulnerability, although previous releases did. The latest version had regressed 🙁
Oh well, these things happen. The third-party component is great and really useful, so I can live with reverting back to a previous release to achieve my goal. The whole episode did prompt me to write this blog post and provide some words of wisdom that others may benefit from:
- always conduct your own tests to make sure that a third-party component does what it says on the tin
- create a regression test suite to make sure that old problems are not re-introduced when you upgrade a component
- don’t assume that security experts will not make mistakes!!