# Insecure code but secure Apache

## dE_logics

Is it possible (if so, but how much degree) to secure Apache such that vulnerabilities in source (that Apache hosts) can be avoided? For e.g. an SQL vulnerability can be avoided cause of apache's current configuration?

If not, is there a webserver which provides such tweaking?

I tend to think that, cause Apache runs as a different user (if configured), it's impossible to compromise the system. I've seen cases of compromised sources (i.e. the site's source is replaced by a message or Windows malware), this also seems difficult to me cause of the permissions of the sources which'll avoid it's overwrite (but I don't know, I'm no dev).

The only thing that seems most vulnerable to me is the database. Vulnerable sources which might allow unexpected database r/w access.

----------

## Hu

SQL injection vulnerabilities can never modify the host filesystem on their own, but they can modify any database to which the buggy statement has modification access, disclose information from any database that the buggy statement can read, and so on.  Theoretically, an application might make filesystem decisions based on values read from the database, in which case unauthorized modifications to the database could lead to unauthorized filesystem access.  I have never heard of a production application which gets its filenames from a database like this, though.

SQL injection vulnerabilities cannot be mitigated by Apache configuration directives, because they are a defect in how the hosted application formats its commands to a database.  Apache has no access to supervise such transactions.  However, you can mitigate the damage done by ensuring the application uses a database connection with as few privileges as possible.  For example, if you are only returning data to the user, but never updating the database with user input, give the application an account that only has SELECT privilege.

Yes, running Apache as a user which has no write access to the files it is serving will prevent application bugs from changing the served content (but be aware of XSS attacks).

----------

## Anarcho

Please have a look a mod_security. This has already rules to prevent SQL-Injection.

----------

## Mad Merlin

Basically, no. Even if Apache was 100% secure (it isn't and no software is), it's infeasible to keep the arbitrary code it executes from causing security problems while simultaneously doing something useful. Even if you give Apache no privileges to do anything, eventually a bug in the code Apache hosts will give way to exploit another bug somewhere else in the system giving additional privileges.

You can minimize attack surface by disabling features, but you can never remove it. The closest to secure you'll get is to disable all modules and serve only static files.

----------

## dE_logics

Securities in Apache is a different thing.

----------

