Hornbill Trust
Call Us: +44(0)208 582 8282

Social: Facebook, Google+

Apr 08 2012

S(ec)urely Not!

This week I was experimenting with locking down Apache to avoid a particular vulnerability that a hacker may want to have some fun with. With a bit of research, I found a very cool third-party firewall for Apache that can be used to close this vulnerability — I’ll blog about this firewall another time. We built the module from source, installed it and then applied the lock down…I couldn’t wait to try it out….I tried a very simple example of the vulnerability, the simplest I could think of. IT DIDN’T WORK!!! What did I do wrong? I checked, double-checked and triple-checked the configuration applied to prevent the vulnerability: there were no errors my side. With a bit more research, I found out that there was a problem: the latest release of the third-party component did not prevent the vulnerability, although previous releases did. The latest version had regressed 🙁

Oh well, these things happen. The third-party component is great and really useful, so I can live with reverting back to a previous release to achieve my goal. The whole episode did prompt me to write this blog post and provide some words of wisdom that others may benefit from:

  • always conduct your own tests to make sure that a third-party component does what it says on the tin
  • create a regression test suite to make sure that old problems are not re-introduced when you upgrade a component
  • don’t assume that security experts will not make mistakes!!
I’ve deliberately been vague about the details in case someone stumbles across this blog post and tries to exploit the vulnerability on a site.
Accreditations

IS588876

Uptime SLA

99.5%

Uptime Target

99.95%

Platform Uptime Last Month
Platform Uptime This Month