Red Hat does not consider this issue to be a vulnerability. In order to exploit this for cross-site scripting, the attacker would have to get the victim to supply an arbitrary malformed HTTP method to a target site.
We do not consider this issue to be security sensitive. Untrusted users should not be permitted to upload files to the directories from where they can be directly served by the web server without prior careful sanitation of both contents and filename.
These attacks are reliant on an insecure configuration of the server - that the user the server runs as has write access to the document root. The suexec security model is not intented to protect against privilege escalation in such a configuration
Right, I read those. My point is that while RedHat doesn't think CVE-2007-6203 is a vulnerability, our credit card processor's PCI scanner does and hence will not certify unless there is a compensating control.
CVE-2008-0455/6 could be addressed by disabling mod_negotiation.
CVE-2007-1741/3 could be addressed by prohibiting local users.
Apache 2.2.8 or greater addresses these, a backported 2.2.3 that ignores them does not.
What are folks who are subjected to PCI doing to address this sort of thing with CentOS 5.6? A distro like Genatoo keeps in step with the latest Apache which would keep you covered. Is CentOS 6 more in step?
Whenever possible, ASVs must use two tools to categorize and rank vulnerabilities, and determine scan compliance:
1. The Common Vulnerability Scoring System (CVSS) version 2.0, which provides a common framework for communicating the characteristics and impact of IT vulnerabilities. The CVSS scoring algorithm utilizes a Base Metric Group, which describes both the complexity and impact of a vulnerability to produce a Base Score, which ranges between 0 and 10. The CVSS Base Score must, where available, be used by ASVs in computing PCI DSS compliance scoring.
2. The National Vulnerability Database (NVD), which is maintained by the National Institute of Standards and Technology (NIST). The NVD contains details of known vulnerabilities based on the Common Vulnerabilities and Exposures (CVE) dictionary. The NVD has adopted the CVSS and publishes CVSS Base Scores for each vulnerability. ASVs should use the CVSS scores whenever they are available.
The use of the CVSS and CVE standards, in conjunction with a common vulnerability database and scoring authority (the NVD) is intended to provide consistency across ASVs.
With a few exceptions (see the Compliance Determination-Overall and by Component section below for details), any vulnerability with a CVSS Base Score of 4.0 or higher will result in a non-compliant scan, and all such vulnerabilities must be remediated by the scan customer. To assist customers in prioritizing the solution or mitigation of identified issues, ASVs must assign a severity level to each identified vulnerability or misconfiguration.
Thanks Phil, what you say makes sense and it is going to cause ongoing pain.
The main point of my original post was to see if other CentOS 5 users had some thoughts on addressing the problems I see. It sounds like CentOS 6 may help a reasonable amount as baseline version of apache is substantially newer, but maybe I should be looking at a distro that does things differently.
Users browsing this forum: Yahoo [Bot] and 0 guests