LinuxSA Mailing list archives

Index: [thread] [date] [subject] [author] 
  From: Daniel Callan <dcallan@dataline.net.au>
  To  : linuxsa@linuxsa.org.au
  Date: Tue, 22 Dec 1998 19:42:50 +1000

Re: FOLLOWUP - Front Page Extensions for Apache

Appologies for the extreme delay in continuing this thread, I've been
busy as hell lately. I'm just now playing catch-up with my linuxsa mailbox
(I thankfully DO have filters ;-P) and I found this reply:

At 22:14 21/12/98 +1030, you wrote:
>Daniel Callan wrote:
>
> > Has anyone out there had any experience with running FP extensions
> > on Apache?
> > It is looking like we will have to support them for some of our
> > web domain clients and I just want to make sure that we aren't in
> > for any nasty suprises.
>
>I didn't see any replies to this. 

Yeah, sorry about that. Ben Kramer and I sorted it out off-list
and I forgot to post a conclusion.

> All I can say is, "Be afraid,
>be very afraid."

That was my conlcusion. :-)


>
>The first version of the extensions was binary only;  it contained
>a bug which permitted anyone on the Internet to break-into your
>machine as root.
>
>They patched that.  The second version of the extensions was
>also binary only;  It contained a *different* bug which permitted
>anyone on the Internet to break into your machine as the same
>user-id your web server runs under (root on some sites).

Yes, these where the expoits I'd heard of but the reason for posting
the question was to see if this was concensus or heresay (I assumed
the former anyway). You have clarified the exact nature of the exploits
for me though, and that does help a lot (esp. when it comes time to 
explain "why" to the marketing dept.)


>
>They patched that.  They released a third version which was mostly
>binary-only, with the exception of one or two .c files.  The .c files
>are so badly written it's almost comical; It's pretty obvious that
>whoever wrote them has absolutely no idea about C programming under
>UNIX (or, perhaps, under any other OS).  There is very little evidence
>that "safe" programming practices for setuid executables have been
>followed, and the vibe among the professional security community is
>that the extensions can't be trusted as far as you can throw them.
>There are profound issues of reliability to consider if the bits they
>haven't released source code for have been written by the same person
>who wrote the source they do include.

lol :-)

It's nice to know that all my fears/assumptions about these wretched
things where 100% true. Ben was telling me that there is a ver out
now that is an MS-written patch to run over Apache's httpd.

As I said to Ben, I thought that was like getting Lada to do an
engine overhaul for a Ferrari. :-P


>server).  Think about all the security problems which result from
>giving users the ability to run CGI scripts, then consider that the
>FrontPage extensions only work when they're enabled.  Just to top it
>all off they're insecure setuid CGI scripts written by Microsoft.
>
>They're evil.  Just Say No.

I have been saying "No!" for a whole year (despite much wailing and gnashing 
of teeth from lazy "MS web developer" clients) and now that I have some more 
concrete info on just how crap they are, I can happily shun them as I would 
the many other shoddy, insecure MS internet-apps that have come and gone.


>counts as a definite plus.  Just tell your users they can get their
>webpage counters from sites all over the net and they won't know the
>difference. :-)

Users? I won't even let them have CGI. ;-)
This whole issue was only concerning our web domain clients.
I've already perfected the steps for helping them to upload
from FP via FTP (and I've never used the damn program either),
so I will just continue to do so. If they just stuck to ASCII
editors and applied some brainpower they might even learn 
something, but hey I'm probably asking too much there ;-)

Many thanks to Ben and Mark for all your help/info/humour on 
this thread.

Regards,
-Daniel


         Daniel Callan
        Network Manager

     hostmaster@dataline.net.au
      -- DataLine.net.au --
     http://dataline.net.au 

Q: Why do programmers always get Christmas and Halloween mixed up?
A: Because DEC 25 = OCT 31

-- 
Check out the LinuxSA web pages at http://www.linuxsa.org.au/
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index: [thread] [date] [subject] [author]
Return to the LinuxSA Mailing List Information Page