A scan of a Solaris 7 system found several vulnerabilities for Apache on the system. Most of them appeared to be due to the version of Apache on the system not being up-to-date. I checked the version of Apache running on the system by using telnet to connect to port 80 and then issuing the
HEAD / HTTP/1.0
command.
# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Fri, 25 Jan 2008 03:29:30 GMT
Server: Apache/2.0.39 (Unix)
Last-Modified: Thu, 29 Nov 2007 04:39:44 GMT
ETag: "89124-5df-e729c400"
Accept-Ranges: bytes
Content-Length: 1503
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Connection closed by foreign host.The version was 2.0.39, so it was out-of-date.
You can also check the version with the apachectl command.
# /usr/local/apache2/bin/apachectl -v
Server version: Apache/2.0.39
Server built: Jun 26 2002 01:03:14Version 2.0.59 is the current version listed at Sunfreeware.com - SPARC/Solaris 7 Packages.
The dependencies statement for Apache 2.0.59 listed libiconv as a
dependency and stated "you may need /usr/local/lib/libgcc_s.so.1 either from
the libgcc-3.3 or gcc-3.3.2 or higher packages." When I checked the version
of gcc with gcc -v, I saw it was 3.0.4. So I first
upgraded libiconv.
I installed libiconv 1.11 on a Sun SPARC Solaris 7 system. I obtained the package from Sunfreeware.com - SPARC/Solaris 7 Packages.
# gunzip libiconv-1.11-sol7-sparc-local.gz
# pkgadd -d libiconv-1.11-sol7-sparc-local
The following packages are available:
1 SMCliconv libiconv
(sparc) 1.11
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: all
Processing package instance <SMCliconv> from </home/jdoe/libiconv-1.11-sol7-sparc-local>
libiconv
(sparc) 1.11
Bruno Haible
Using </usr/local> as the package base directory.
## Processing package information.
## Processing system information.
12 package pathnames are already properly installed.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
The following files are already installed on the system and are being
used by another package:
/usr/local/bin/iconv
/usr/local/doc/libiconv/ABOUT-NLS
/usr/local/doc/libiconv/AUTHORS
/usr/local/doc/libiconv/COPYING.LIB
/usr/local/doc/libiconv/ChangeLog
/usr/local/doc/libiconv/DESIGN
/usr/local/doc/libiconv/INSTALL.generic
/usr/local/doc/libiconv/NEWS
/usr/local/doc/libiconv/NOTES
/usr/local/doc/libiconv/PORTS
/usr/local/doc/libiconv/README
/usr/local/doc/libiconv/README.djgpp
/usr/local/doc/libiconv/README.os2
/usr/local/doc/libiconv/README.woe32
/usr/local/doc/libiconv/THANKS
/usr/local/include/iconv.h
/usr/local/include/libcharset.h
/usr/local/lib/libcharset.a
/usr/local/lib/libcharset.la
[Hit <RETURN> to continue display]
/usr/local/lib/libcharset.so.1.0.0
/usr/local/lib/libiconv.la
/usr/local/lib/libiconv.so
/usr/local/lib/libiconv.so.2
/usr/local/man/man1/iconv.1
/usr/local/man/man3/iconv.3
/usr/local/man/man3/iconv_close.3
/usr/local/man/man3/iconv_open.3
* - conflict with a file which does not belong to any package.
Do you want to install these conflicting files [y,n,?,q] y
## Checking for setuid/setgid programs.
Installing libiconv as <SMCliconv>
## Installing part 1 of 1.
/usr/local/bin/iconv
/usr/local/doc/libiconv/ABOUT-NLS
/usr/local/doc/libiconv/AUTHORS
/usr/local/doc/libiconv/COPYING.LIB
/usr/local/doc/libiconv/ChangeLog
/usr/local/doc/libiconv/DESIGN
/usr/local/doc/libiconv/INSTALL.generic
/usr/local/doc/libiconv/NEWS
/usr/local/doc/libiconv/NOTES
/usr/local/doc/libiconv/PORTS
/usr/local/doc/libiconv/README
/usr/local/doc/libiconv/README.djgpp
/usr/local/doc/libiconv/README.os2
/usr/local/doc/libiconv/README.woe32
/usr/local/doc/libiconv/THANKS
/usr/local/include/iconv.h
/usr/local/include/libcharset.h
/usr/local/include/localcharset.h
/usr/local/lib/libcharset.a
/usr/local/lib/libcharset.la
/usr/local/lib/libcharset.so.1.0.0
/usr/local/lib/libiconv.la
/usr/local/lib/libiconv.so <symbolic link>
/usr/local/lib/libiconv.so.2 <symbolic link>
/usr/local/lib/libiconv.so.2.4.0
/usr/local/lib/preloadable_libiconv.so
/usr/local/man/man1/iconv.1
/usr/local/man/man3/iconv.3
/usr/local/man/man3/iconv_close.3
/usr/local/man/man3/iconv_open.3
/usr/local/man/man3/iconvctl.3
/usr/local/share/doc/iconv.1.html
/usr/local/share/doc/iconv.3.html
/usr/local/share/doc/iconv_close.3.html
/usr/local/share/doc/iconv_open.3.html
/usr/local/share/doc/iconvctl.3.html
[ verifying class <none> ]
Installation of <SMCliconv> was successful.
Since libintl was listed as a dependency for
libiconv, I tried to determine if libintl
on the system was the latest version.
I looked for libiintl files on the system. I found several.
# find / -name libintl\* -print
/usr/lib/sparcv9/libintl.so
/usr/lib/sparcv9/libintl.so.1
/usr/lib/libintl.so
/usr/lib/libintl.so.1
/usr/lib/libintl.a
/usr/include/libintl.h
/usr/share/man/sman4/libintl.4
/usr/local/lib/gcc-lib/sparc-sun-solaris2.7/3.0.4/include/libintl.h
When I looked in /usr/include/libintl.h, I saw it was version
1.12, so I upgraded libintl to the 3.4.0 version from
Sunfreeware.com -
SPARC/Solaris 7 Packages.
# gunzip libintl-3.4.0-sol7-sparc-local.gz
# pkgadd -d libintl-3.4.0-sol7-sparc-local
The following packages are available:
1 SMClintl libintl
(sparc) 3.4.0
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
Processing package instance <SMClintl> from </home/jdoe/libintl-3.4.0-sol7-sparc-local>
libintl
(sparc) 3.4.0
FSF
Using </usr/local> as the package base directory.
## Processing package information.
## Processing system information.
2 package pathnames are already properly installed.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
Installing libintl as <SMClintl>
## Installing part 1 of 1.
/usr/local/include/libintl.h
/usr/local/lib/libintl.a
/usr/local/lib/libintl.la
/usr/local/lib/libintl.so <symbolic link>
/usr/local/lib/libintl.so.3 <symbolic link>
/usr/local/lib/libintl.so.3.4.0
/usr/local/lib/libintl.so.8 <symbolic link>
/usr/local/lib/libintl.so.8.0.2
[ verifying class <none> ]
Installation of <SMClintl> was successful.
I then upgraded gcc.
# gunzip gcc-3.4.6-sol7-sparc-local.gz
# pkgadd -d gcc-3.4.6-sol7-sparc-local
The following packages are available:
1 SMCgcc gcc
(sparc) 3.4.6
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
Processing package instance <SMCgcc> from </tmp/testing/gcc-3.4.6-sol7-sparc-local>
gcc
(sparc) 3.4.6
FSF
Using </usr/local> as the package base directory.
## Processing package information.
## Processing system information.
10 package pathnames are already properly installed.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
The following files are already installed on the system and are being
used by another package:
* /usr/local/bin/c++
* /usr/local/bin/cpp
* /usr/local/bin/g++
* /usr/local/bin/g77
* /usr/local/bin/gcc
* /usr/local/bin/gccbug
* /usr/local/bin/gcov
* /usr/local/bin/sparc-sun-solaris2.7-c++
* /usr/local/bin/sparc-sun-solaris2.7-g++
* /usr/local/bin/sparc-sun-solaris2.7-gcc
* /usr/local/info <attribute change only>
* /usr/local/info/cpp.info
* /usr/local/info/cppinternals.info
* /usr/local/info/g77.info
* /usr/local/info/gcc.info
* /usr/local/lib/libgcc_s.so.1
* /usr/local/lib/libiberty.a
* /usr/local/lib/libstdc++.a
* /usr/local/lib/libstdc++.la
[Hit <RETURN> to continue display]
* /usr/local/lib/libsupc++.a
* /usr/local/lib/libsupc++.la
* /usr/local/man/man1/cpp.1
* /usr/local/man/man1/g++.1
* /usr/local/man/man1/g77.1
* /usr/local/man/man1/gcc.1
* /usr/local/man/man1/gcov.1
* /usr/local/man/man7 <attribute change only>
* /usr/local/man/man7/fsf-funding.7
* /usr/local/man/man7/gfdl.7
* /usr/local/man/man7/gpl.7
* /usr/local/share/locale <attribute change only>
* /usr/local/share/locale/be <attribute change only>
* /usr/local/share/locale/be/LC_MESSAGES <attribute change only>
* /usr/local/share/locale/ca <attribute change only>
* /usr/local/share/locale/ca/LC_MESSAGES <attribute change only>
* /usr/local/share/locale/da <attribute change only>
* /usr/local/share/locale/da/LC_MESSAGES <attribute change only>
* /usr/local/share/locale/de <attribute change only>
* /usr/local/share/locale/de/LC_MESSAGES <attribute change only>
[Hit <RETURN< to continue display]
* /usr/local/share/locale/el <attribute change only>
* /usr/local/share/locale/el/LC_MESSAGES <attribute change only>
* /usr/local/share/locale/es <attribute change only>
* /usr/local/share/locale/es/LC_MESSAGES <attribute change only>
* /usr/local/share/locale/fr <attribute change only>
* /usr/local/share/locale/fr/LC_MESSAGES <attribute change only>
* /usr/local/share/locale/ja <attribute change only>
* /usr/local/share/locale/ja/LC_MESSAGES <attribute change only>
* /usr/local/share/locale/nl <attribute change only>
* /usr/local/share/locale/nl/LC_MESSAGES <attribute change only>
* /usr/local/share/locale/sv <attribute change only>
* /usr/local/share/locale/sv/LC_MESSAGES <attribute change only>
* /usr/local/share/locale/tr <attribute change only>
* /usr/local/share/locale/tr/LC_MESSAGES <attribute change only>
* - conflict with a file which does not belong to any package.
Do you want to install these conflicting files [y,n,?,q] y
<text snipped>
/usr/local/share/locale/tr/LC_MESSAGES/gcc.mo
[ verifying class <none> ]
Installation of <SMCgcc> was successful.I then downloaded the 2.0.59 version of Apache and installed it.
# gunzip apache-2.0.59-sol7-sparc-local.gz
# pkgadd -d apache-2.0.59-sol7-sparc-local
The following packages are available:
1 SMCap2059 apache
(sparc) 2.0.59
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
Processing package instance <SMCap2059> from </home/jdoe/apache-2.0.59-sol7-sparc-local>
apache
(sparc) 2.0.59
The Apache Group
Using </usr/local/apache2> as the package base directory.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
The following files are already installed on the system and are being
used by another package:
* /usr/local/apache2/bin <attribute change only>
* /usr/local/apache2/bin/ab
* /usr/local/apache2/bin/apachectl
* /usr/local/apache2/bin/apr-config
* /usr/local/apache2/bin/apu-config
* /usr/local/apache2/bin/apxs
* /usr/local/apache2/bin/checkgid
* /usr/local/apache2/bin/dbmmanage
* /usr/local/apache2/bin/envvars
* /usr/local/apache2/bin/envvars-std
* /usr/local/apache2/bin/htdbm
* /usr/local/apache2/bin/htdigest
* /usr/local/apache2/bin/htpasswd
* /usr/local/apache2/bin/httpd
* /usr/local/apache2/bin/logresolve
* /usr/local/apache2/bin/rotatelogs
* /usr/local/apache2/build <attribute change only>
* /usr/local/apache2/build/config_vars.mk
* /usr/local/apache2/build/instdso.sh
[Hit <RETURN> to continue display]
<text snipped>
* /usr/local/apache2/manual/vhosts/index.html.en
* /usr/local/apache2/manual/vhosts/ip-based.html
* /usr/local/apache2/manual/vhosts/mass.html
* /usr/local/apache2/manual/vhosts/name-based.html
* /usr/local/apache2/manual/vhosts/name-based.html.en
* /usr/local/apache2/modules <attribute change only>
* /usr/local/apache2/modules/httpd.exp
* - conflict with a file which does not belong to any package.
Do you want to install these conflicting files [y,n,?,q] y
[ verifying class <none> ]
Installation of <SMCap2059> was successful.When I tried to restart Apache to run the new version, I received the message below:
# ../bin/apachectl restart
Syntax error on line 344 of /usr/local/apache2/conf/httpd.conf:
Invalid command 'Order', perhaps mis-spelled or defined by a module not included in the server configuration
When I checked what was at line 344, I found Order allow,deny.
<Directory "/usr/local/apache2/htdocs">
<text snipped>
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
I commented out the "order" and "allow" lines to see what would happen. I
then received an error message concerning the UserDir command
in httpd.conf.
I checked the compiled-in modules for Apache with httpd -l and
saw the following:
# ../bin/httpd -l
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c
The order command requires the mod_access module
to be loaded in Apache. It was apparently compiled into the previous version
I had running on the system, but it isn't compiled into the current version,
so I added
LoadModule access_module /usr/local/apache2/modules/mod_access.so
to /usr/local/apache2/conf/httpd.conf.
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule access_module /usr/local/apache2/modules/mod_access.so
Note: the location of mod_access.so and other modules
may be in a different location on other systems, e.g. under Linux it may be at
/etc/httpd/modules/mod_access.so. I also discovered later
that I should have put LoadModule auth_module
/usr/local/apache2/modules/mod_auth.so in as well to address
this error as shown at
Adding Modules to httpd.conf With Apache 2.
When I added the mod_access.so line and ran apachectl
restart, I then received the error message below:
# ../bin/apachectl restart
Syntax error on line 354 of /usr/local/apache2/conf/httpd.conf:
Invalid command 'UserDir', perhaps mis-spelled or defined by a module not
included in the server configuration
I then added the line LoadModule userdir_module
/usr/local/apache2/modules/mod_userdir.so below the
LoadModule access_module /usr/local/apache2/modules/mod_access.so
line in httpd.conf. That eliminated the error related to the
UserDir command, but I then saw another module related error
message.
# ../bin/apachectl restart
Syntax error on line 382 of /usr/local/apache2/conf/httpd.conf:
Invalid command 'DirectoryIndex', perhaps mis-spelled or defined by a module not included in the server configuration
I added LoadModule dir_module /usr/local/apache2/modules/mod_dir.so
beneath the other LoadModule statements and reran
apacectl restart. The error message for DirectoryIndex
was eliminated and I got further in the configuration file, but I received
another error message when I restarted Apache.
# ../bin/apachectl restart
Syntax error on line 403 of /usr/local/apache2/conf/httpd.conf:
Invalid command 'TypesConfig', perhaps mis-spelled or defined by a module not included in the server configuration
So I then added LoadModule mime_module
/usr/local/apache2/modules/mod_mime.so and attempted again to restart
Apache. The next error message is shown below.
# ../bin/apachectl restart
Syntax error on line 456 of /usr/local/apache2/conf/httpd.conf:
Invalid command 'LogFormat', perhaps mis-spelled or defined by a module not included in the server configuration
I then added LoadModule log_config_module
/usr/local/apache2/modules/mod_log_config.so. When I attempted to
restart Apache, I then saw the message below.
# ../bin/apachectl restart
Syntax error on line 506 of /usr/local/apache2/conf/httpd.conf:
Invalid command 'Alias', perhaps mis-spelled or defined by a module not included in the server configurationI then added LoadModule alias_module
/usr/local/apache2/modules/mod_alias.so, which led to the next
error message.
# ../bin/apachectl restart
Syntax error on line 576 of /usr/local/apache2/conf/httpd.conf:
Invalid command 'IndexOptions', perhaps mis-spelled or defined by a module not included in the server configuration
I then added LoadModule autoindex_module
/usr/local/apache2/modules/mod_audoindex.so and attempted to restart
Apache again.
# ../bin/apachectl restart
Syntax error on line 724 of /usr/local/apache2/conf/httpd.conf:
Invalid command 'LanguagePriority', perhaps mis-spelled or defined by a module not included in the server configurationI added LoadModule negotiation_module
/usr/local/apache2/modules/mod_negotiation.so to address that error.
# ../bin/apachectl restart
Syntax error on line 908 of /usr/local/apache2/conf/httpd.conf:
Invalid command 'BrowserMatch', perhaps mis-spelled or defined by a module not included in the server configuration
I then added LoadModule setenvif_module
/usr/local/apache2/modules/mod_setevnif.so and attempted to restart
again with apachectl restart. At last it restarted without an
error message. Yeah! Except when I tried telnet 1270.0.1 80 to
connect to the default HTTP port on the local loopback address, it failed.
# telnet 127.0.0.1 80
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
When I looked in /usr/local/apache2/logs/error_log, I saw the
following:
[Sun Jan 27 22:09:30 2008] [notice] SIGHUP received. Attempting to restart
Syntax error on line 219 of /usr/local/apache2/conf/httpd.conf:
module access_module is built-in and can't be loaded
So I removed LoadModule access_module
/usr/local/apache2/modules/mod_access.so from httpd.conf.
But then I got the Invalid command 'Order' error message again.
# ../bin/apachectl restart
Syntax error on line 352 of /usr/local/apache2/conf/httpd.conf:
Invalid command 'Order', perhaps mis-spelled or defined by a module not included in the server configuration
I put LoadModule access_module
/usr/local/apache2/modules/mod_access.so
and added LoadModule auth_module
/usr/local/apache2/modules/mod_auth.so below it.
# ../bin/apachectl restart
httpd not running, trying to startI tried connecting to port 80 on the loopback address again. This time
I was successful. I entered the command HEAD / HTTP/1.0 and
hit return a couple of times. Apache then responded with information showing
me that version 2.0.59 was running at last.
I now have the following module section in httpd.conf
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule access_module /usr/local/apache2/modules/mod_access.so
LoadModule auth_module /usr/local/apache2/modules/mod_auth.so
LoadModule userdir_module /usr/local/apache2/modules/mod_userdir.so
LoadModule dir_module /usr/local/apache2/modules/mod_dir.so
LoadModule mime_module /usr/local/apache2/modules/mod_mime.so
LoadModule log_config_module /usr/local/apache2/modules/mod_log_config.so
LoadModule alias_module /usr/local/apache2/modules/mod_alias.so
LoadModule autoindex_module /usr/local/apache2/modules/mod_autoindex.so
LoadModule negotiation_module /usr/local/apache2/modules/mod_negotiation.so
LoadModule setenvif_module /usr/local/apache2/modules/mod_setenvif.soReferences:
