Hi,
We are having a QA database in Oracle enterprise version 9.2.0.4 on OS : OSF1.
Recently our security team ran a test and found that the apache1.3 that comes as component of Oracle database is prone to security vulnerabilities. Also they suggested to remove the apache or upgrade to latest as remedy.
When contacted to Oracle support, Oracle team replied apache upgrade should not be done instead latest apache seprately can be installed as reverse proxy. But when asked for steps/document there is no reply. Anyone faced this problem can provide any help/suggestion in this regard.
I am attaching some of the threads identified by our Security Team for reference.
1. Apache 1.3 HTTP Server Expect Header Cross-Site Scripting XXXX and YYYYYY ports 7782, 4889, 3339.
2. Apache HTTP Server 413 Error HTTP Request Method Cross-Site Scripting Weakness
3. Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>417 Expectation Failed</TITLE>
</HEAD><BODY>
<H1>Expectation Failed</H1>
The expectation given in the Expect request-header
field could not be met by this server.<P>
The client sent<PRE>
Expect: <script>alert(document.domain)</script>
</PRE>
but we only allow the 100-continue expectation.
-CR