Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Microsoft Software Apache

Exploitable MS FrontPage Apache Installs 26

A reader writes:"On NewsForge, there is an interview with a system administrator looking for an officially supported FrontPage install for RedHat Linux Apache rpm to fix CERT Advisory CA-2002-17 , which has already found in the wild. According to the interview Microsoft may, at some point, release an official patch or upgrade which Apache, RedHat and others fixed long ago."
This discussion has been archived. No new comments can be posted.

Exploitable MS FrontPage Apache Installs

Comments Filter:
  • RTFCitA (Score:3, Interesting)

    by Outland Traveller ( 12138 ) on Tuesday July 09, 2002 @03:51PM (#3852329)
    Read The F* Comments in the Article!

    Lots of people there say that they can get apache to work with frontpage by patching their current version with the security fix instead of upgrading.

    Frontpage for Apache still officially supports RH 7.0. Not supporting anything recent isn't exactly new for them. Anyone who uses this extension has learned to fend for themselves.

    I personally would dump frontpage. I don't care if half the world uses it. Educate them. Provide them with something else that is workable. If you're going to complain that your business will go under because you don't support frontpage then run IIS and eat worms in your cake.
  • I'm still waiting to hear from Microsoft regarding that fix. We like to use officially supported software, so we don't have to be "FrontPage gurus" in order to allow some of our clients to use FrontPage. Plus, we are a Registered Web Presence Provider for Microsoft® FrontPage® version 2002 and all of that...
    -Eric
    • Plus, we are a Registered Web Presence Provider for Microsoft® FrontPage® version 2002 and all of that...

      Unless I'm missing a major point here, why don't you just run Frontpage on Windows NT servers and put an Apache box in front of it as reverse proxy?
  • Anyone else think it's odd that this article is on the front page, but the Article describing the bug [slashdot.org] was hidden under the "Apache" section, which is not turned on by default (and thus not read by most Slashdot users?

    Anyone sense anti-Microsoft bias here? This exploit is a MAJOR problem, you can't turn a blind eye to it and expect the problem to go away.

    Fire away...

    (For the record, I love Apache, and manage it daily).
  • Can't they let someone have a vulnerability all to themselves?
  • ...I mean really. Microsoft is late on writing a patch for FrontPage to communicate with the Apache web server.

    Microsoft Employee #1: "Hum do you think we should write the patch yet?"
    Microsoft Employee #2: "Nah, there is no real reason to."

  • One thing (Score:4, Insightful)

    by einhverfr ( 238914 ) <chris.traversNO@SPAMgmail.com> on Tuesday July 09, 2002 @08:57PM (#3853849) Homepage Journal
    This shows me one thing (sure this might get modded down)-- Microsoft is clearly not serious about their "Trustworthy Computing" initiative. If so, this should have been fixed a LONG time ago...

    Oh wait-- that only applies to Microsoft operating systems?
  • You can find that on Joshie's website:

    http://www.joshie.com/projects/apache-frontpage/

    Even RedHat[tm] recommends him in their FAQs.
  • by Anonymous Coward
    Exploitable MS FrontPage Apache Installs

    For some reason, I'm reading that as something along the lines of, "MS is exploitable, Apache installs FrontPage."

    Man, never eat sushi for breakfast if you're going to be reading Slashdot.

    I must say, I'm shocked that there's FrontPage-Apache oddness going on. It's almost as if..

    Someone's attempting to set Apache up the bomb!
  • 'A quick note about FrontPage: it's fine to use FrontPage to generate your site, but when it comes to uploading the files that FrontPage generated, you'll need to use a regular FTP program. To enhance your sites' security and performance, "FrontPage extensions" are not enabled on your server.'
  • mod_frontpage (Score:3, Informative)

    by Marsala ( 4168 ) on Thursday July 11, 2002 @02:06PM (#3865901) Homepage

    Christof Pohl was actually distributing an "improved" mod_frontpage apache module. Basically, it did the same thing as the crap that MS/RTR have wedged into the actual apache binary, but it compartmentalized permissions for dealing with the subwebs through the fpexec user (kind of like suexec). I felt a lot safer, and it provided a nice solution for my customers where I could include support for FP on our servers without having to fsck up the apache binary. I have asked RTR to look into making a DSO, but it seems like the request has been ignored...

    Any rate, mod_frontpage apparently has been orphaned by Christof. FreeBSD seems to be actively maintaining it, and the have a version that works with FP 5.0 (2002) available in their ports tree... Mandrake has built an RPM based off of the FreeBSD code. I was able to take the SRPM from Mandrake, make some edits to the spec file, and get mod_frontpage running on RH 6.2, 7.1, 7.2., and 7.3 systems from my own RPM. Works great with the official RH errata apache RPMs for each platform, as well as the 1.3.26 RPMs I've created.

    So, there are solutions out there. But you'll be waiting a long time if you insist that a vendor hand them to you. :-)

It's been a business doing pleasure with you.

Working...