Reputation: 11
Apache vulnerabilities not detected?
I am scanning some servers with Nessus and there is something I do not understand. Nessus detect that the web server is Apache/2.2.16 (on Debian). If yo go to http://httpd.apache.org/security/vulnerabilities_22.html you can see a lot of vulnerabilities that affect this Apache version.
However, the Nessus did not detect nothing related to theses vulnerabilities. For example, the plugin 50070 "Apache 2.2 > 2.2.17 Multiple Vulnerabilities" was not fired.
I have check that this plugin and all the available are activated (I did a complete scan with all plugins activated).
So my question is why Nessus did not notify me that I am running a old Apache version with the vulnerabilities listed on http://httpd.apache.org/security/vulnerabilities_22.html ? I thing that notifying me with
important: Range header remote DoS CVE-2011-3192
A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. This could be used in a denial of service attack.
is important.
Thanks in advance :)
Upvotes: 1
Views: 1003
Answers (2)
Reputation: 1
I recommend reducing your performance settings(Max simultaneous checks per host, Max simultaneous hosts per scan) so that you get more accurate results as a result of the scan.
Upvotes: 0
Related Questions
- Changing default Apache version on Mac OS
- Apache httpd vulnerability on macOS BigSur
- ModEvasive on Ubuntu 12.04 LTS broken?
- Apache mod_security: test common attacks
- Apache version check fails
- ModSecurity - error parsing actions unknown action \\
- mod-security causes segmentation fault
- Apache Error on Mac OS X Lion
- mod_security false positives
- How to determine what has gone wrong with apache