Archive for the ‘Apache’ Category

Apache 101: 0-WordPress in 15 minutes

May 12th, 2020
Hellfire missiles not included.

Enlarge / Hellfire missiles not included. (credit: Flickr user Mike)

Recently, we took a look at the Caddy Web server. Today, we're going to back things up a little bit and look at the A from the classic LAMP stack: the Apache Web server.

Apache has a bad reputation for being old, crusty, and low-performance—but this idea mostly stems from the persistence of ancient guides that still show users how to set it up in extremely antiquated ways. In this guide, we're going to set up an Ubuntu 20.04 droplet at Digital Ocean with an Apache Web server set up properly and capable of handling serious levels of traffic.

Installation

After spinning up a new $5/mo VM (Digital Ocean calls them "droplets"), the first thing we'll do is what anyone should do with any brand new Linux server. We check for and then install upgrades, and—since one of them was a new Linux kernel version—reboot the server.

Read 64 remaining paragraphs | Comments

Posted in Apache, Biz & IT, Tech, webserver | Comments (0)

Caddy offers TLS, HTTPS, and more in one dependency-free Go Web server

May 6th, 2020
Production-ready in a few lines? Color us interested.

Enlarge / Production-ready in a few lines? Color us interested. (credit: Light Code Labs)

Yesterday, the Caddy Web server reached an important milestone, with its 2.0.0 release. Caddy bills itself as "The Ultimate Server," with no dependencies, automatic TLS certificate obtainment and renewal, and much smaller configuration files than Apache or Nginx.

Senior Technology Editor Lee Hutchinson expressed both curiosity about Caddy and his own personal inertia in the Ars slack:

Caddy is an app where every time i see it or think of it i say “I should mess with it, it looks neat” and then I never do. I’ve gotten so enmeshed in my haproxy - varnish - nginx stack that breaking out feels like more trouble than it’s worth.

I hadn't ever heard of Caddy until Lee mentioned it, but I know a call to action when I hear one.

Read 51 remaining paragraphs | Comments

Posted in Apache, Biz & IT, caddy, Tech, Ubuntu, webserver | Comments (0)

GhostCat: New High-Risk Vulnerability Affects Servers Running Apache Tomcat

February 28th, 2020
If your web server is running on Apache Tomcat, you should immediately install the latest available version of the server application to prevent hackers from taking unauthorized control over it. Yes, that's possible because all versions (9.x/8.x/7.x/6.x) of the Apache Tomcat released in the past 13 years have been found vulnerable to a new high-severity (CVSS 9.8) 'file read and inclusion bug'

Posted in Apache, Apache exploit, Apache Tomcat, hacking news, local file inclusion, remote code execution, remote file inclusion, server security, server vulnerability, Tomcat Server | Comments (0)

HTTPS for all: Let’s Encrypt reaches one billion certificates issued

February 27th, 2020
Encrypted communication has gone from "only if it's important" to "unless you're incredibly lazy" in four short years—and Let's Encrypt deserves a lot of the credit for that.

Enlarge / Encrypted communication has gone from "only if it's important" to "unless you're incredibly lazy" in four short years—and Let's Encrypt deserves a lot of the credit for that. (credit: nternet1.jpg by Rock1997 modified.)

Let's Encrypt, the Internet Security Research Group's free certificate signing authority, issued its first certificate a little over four years ago. Today, it issued its billionth.

The ISRG's goal for Let's Encrypt is to bring the Web up to a 100% encryption rate. When Let's Encrypt launched in 2015, the idea was pretty outré—at that time, a bit more than a third of all Web traffic was encrypted, with the rest being plain text HTTP. There were significant barriers to HTTPS adoption—for one thing, it cost money. But more importantly, it cost a significant amount of time and human effort, both of which are in limited supply.

Let's Encrypt solved the money barrier by offering its services free of charge. More importantly, by establishing a stable protocol to access them, it enabled the Electronic Frontier Foundation to build and provide Certbot, an open source, free-to-use tool that automates the process of obtaining certificates, installing them, configuring webservers to use them, and automatically renewing them.

Read 16 remaining paragraphs | Comments

Posted in Apache, EFF, Lets Encrypt, Nginx, Open Source, Tech | Comments (0)

Apache Tomcat Patches Important Remote Code Execution Flaw

April 15th, 2019
The Apache Software Foundation (ASF) has released new versions of its Tomcat application server to address an important security vulnerability that could allow a remote attacker to execute malicious code and take control of an affected server. Developed by ASF, Apache Tomcat is an open source web server and servlet system, which uses several Java EE specifications such as Java Servlet,

Posted in Apache, Apache exploit, Apache Server, Apache Tomcat, cyber security, hacking news, server security, Vulnerability | Comments (0)

Serious Apache server bug gives root to baddies in shared host environments

April 4th, 2019
Serious Apache server bug gives root to baddies in shared host environments

(credit: Aurich Lawson / Thinkstock)

The Apache HTTP Server, the Internet’s most widely used Web server, just fixed a serious vulnerability that makes it possible for untrusted users or software to gain unfettered control of the machine the software runs on.

CVE-2019-0211, as the vulnerability is indexed, is a local privilege escalation, meaning it allows a person or software that already has limited access to the Web server to elevate privileges to root. From there, the attacker could do just about anything. The vulnerability makes it possible for unprivileged scripts to overwrite sensitive parts of a server’s memory, Charles Fol, the independent researcher who discovered the bug, wrote in a blog post. A malicious script could exploit the vulnerability to gain root.

The vulnerability poses the most risk inside Web-hosting facilities that offer shared instances, in which a single physical machine serves content for more than one website. Typically, such servers prevent an administrator of one site from accessing other sites or from accessing sensitive settings of the machine itself.

Read 5 remaining paragraphs | Comments

Posted in Apache, Biz & IT, exploits, patches, vulnerabilities, web server | Comments (0)

New Apache Web Server Bug Threatens Security of Shared Web Hosts

April 2nd, 2019
Mark J Cox, one of the founding members of the Apache Software Foundation and the OpenSSL project, today posted a tweet warning users about a recently discovered important flaw in Apache HTTP Server software. The Apache web server is one of the most popular, widely used open-source web servers in the world that powers almost 40 percent of the whole Internet. The vulnerability, identified as

Posted in Apache, Apache web server, fast web server, hacking web server, privilege escalation, shared web hosting, Vulnerability, web hosting, web server hacking, web server security | Comments (0)

How a serious Apache vulnerability struts its stuff

March 14th, 2017

Officially it’s CVE-2017-5638, but in practice it’s “the bug in Apache Struts you really should have patched by now”. Here’s why…

Posted in Apache, CVE-2017-5638, Exploit, rce, struts, Vulnerability | Comments (0)

Google Employees Help Thousands Of Open Source Projects Patch Critical ‘Mad Gadget Bug’

March 2nd, 2017

Last year Google employees took an initiative to help thousands of Open Source Projects patch a critical remote code execution vulnerability in a widely used Apache Commons Collections (ACC) library.

Dubbed Operation Rosehub, the initiative was volunteered by some 50 Google employees, who utilized 20 percent of their work time to patch over 2600 open source projects on Github, those were

Posted in Apache, Google Security, hacking news, java Vulnerability, Mad Gadget vulnerability, Open Source, ransomware attack, Vulnerability | Comments (0)

Anti-piracy software developer leaves website open to snoops

February 9th, 2017

It’s all too easy to get the configuration of a website wrong and leave the door open for anyone to see private files

Posted in Apache, htaccess, Technologies, Vulnerability | Comments (0)