

Ask HN: Apache 2.2.22 is outdated but not according to the webhost - ForFreedom

After much debate with my web host Apache 2.2.22 outdated from a security scan but not according to the webhost.<p>Is it really not outdated as the web host says?
======
mortenlarsen
You can't really tell by the version number. For example Debian stable has
Apache 2.2.22 but with security patches back-ported from Apache 2.2.29. It is
quite common to stay a a certain well-tested version for a while and only fix
security issues.

~~~
ForFreedom
What if malware was uploaded to the websites because of the outdated apache?

~~~
mortenlarsen
Well you can't really know, if it is outdated or if it has back-ported
patches. But chances are that your webhost is telling you the truth, and that
it is not outdated from a security perspective. They are probably running
Debian.

~~~
ForFreedom
They are running debian, so it means there is no security breach?

~~~
mortenlarsen
Yes. At least not anything that would be fixed by running a newer version.

------
digital-rubber
Outdated and vulnerable are two different things.

Still have boxes with apache 1.3 running, but all potential vulnerabilities
are patched and or _bad feature(s)_ removed.

Bottomline i think is, you are unhappy with your web host. Find another that
does match your particular preference.

~~~
ForFreedom
They pointed out that there are malware files and suggested an online security
scanner. I tried it out and pointed back to them that their web server is
outdated.

Well my question to them was how can that be that I have malware and its okay
for them to have outdated web server software.

I asked them for patch dates :: didnt get a reply They said if they upgrade
then all users will have problems with their websites.

I have been hosting with them for over 5 years now and they are good.

I may be wrong in my opinion or have over looked something so wanted to know
what others think.

~~~
digital-rubber
I see. And yes there have been some module/syntax changes between apache
versions that makes one less motivated to upgrade. Also upgrading doesn't
always give you better security, you might be introducing a new issue/bug. But
i could see their reasoning, why not to upgrade/change the version.

The scanner most likely does a simple version compare. The scanner assumes
anything under version X.Y == vulnerable. If it would be hiding or faking the
vendor and version to latest IIS (or apache, or nginx or etc), possible it
would simply report all is A-Okay. Unless the scanner really test the actual
exploit/vulnerabilities, i assume the simple version compare happens.

Though i'm quite certain the malware didn't get *there via a method that only
utilises the webserver; more likely a poor coded (php, perl, etc) script
allowed 3rd parties to download/write to disk of your webserver.

If for example shellshock wasn't patched in time, and there was a vulnerable
cgi script or similar on the website/server, it could have been that
script+bash, that has been exploited. But that doesn't make the webserver
vulnerable. (even though the malicious upload/ action was executed via the
webserver)

~~~
ForFreedom
Can the upload go into a non-www directory via a php? A non-www directory is
not viewable. If this directory is accessible then would it be server or
application level exploit?

~~~
mortenlarsen
Yes, and any exploit is much more likely to be through a vulnerability in the
PHP application you are running on the site. That is my experience as a former
system administrator at a webhost.

------
viktorr
If your going to run SSL, 2.2 will be very limited

~~~
digital-rubber
I rather use TLS nowadays, until that gets cracked and we'll have nothing \o/

