Exploitable MS FrontPage Apache Installs 26
A reader writes:"On NewsForge, there is an interview with a system administrator looking for an officially supported FrontPage install for RedHat Linux Apache rpm to fix CERT Advisory CA-2002-17 , which has already found in the wild. According to the interview Microsoft may, at some point, release an official patch or upgrade which Apache, RedHat and others fixed long ago."
RTFCitA (Score:3, Interesting)
Lots of people there say that they can get apache to work with frontpage by patching their current version with the security fix instead of upgrading.
Frontpage for Apache still officially supports RH 7.0. Not supporting anything recent isn't exactly new for them. Anyone who uses this extension has learned to fend for themselves.
I personally would dump frontpage. I don't care if half the world uses it. Educate them. Provide them with something else that is workable. If you're going to complain that your business will go under because you don't support frontpage then run IIS and eat worms in your cake.
Re:RTFCitA (Score:1)
Still no response from MS (Score:2, Interesting)
-Eric
Re:Still no response from MS (Score:1)
Unless I'm missing a major point here, why don't you just run Frontpage on Windows NT servers and put an Apache box in front of it as reverse proxy?
Re:Still no response from MS (Score:1)
"Microsoft" on front page, "Apache" isn't... (Score:2, Offtopic)
Anyone sense anti-Microsoft bias here? This exploit is a MAJOR problem, you can't turn a blind eye to it and expect the problem to go away.
Fire away...
(For the record, I love Apache, and manage it daily).
Re:"Microsoft" on front page, "Apache" isn't... (Score:1)
Damn Microsoft (Score:2)
Is this really surprising... (Score:2, Insightful)
Microsoft Employee #1: "Hum do you think we should write the patch yet?"
Microsoft Employee #2: "Nah, there is no real reason to."
One thing (Score:4, Insightful)
Oh wait-- that only applies to Microsoft operating systems?
Use Joshie's RPMs / SRPMs (Score:1)
http://www.joshie.com/projects/apache-frontpage
Even RedHat[tm] recommends him in their FAQs.
We get signal! (Score:1, Funny)
For some reason, I'm reading that as something along the lines of, "MS is exploitable, Apache installs FrontPage."
Man, never eat sushi for breakfast if you're going to be reading Slashdot.
I must say, I'm shocked that there's FrontPage-Apache oddness going on. It's almost as if..
Someone's attempting to set Apache up the bomb!
in our web hosting docs (Score:2)
mod_frontpage (Score:3, Informative)
Christof Pohl was actually distributing an "improved" mod_frontpage apache module. Basically, it did the same thing as the crap that MS/RTR have wedged into the actual apache binary, but it compartmentalized permissions for dealing with the subwebs through the fpexec user (kind of like suexec). I felt a lot safer, and it provided a nice solution for my customers where I could include support for FP on our servers without having to fsck up the apache binary. I have asked RTR to look into making a DSO, but it seems like the request has been ignored...
Any rate, mod_frontpage apparently has been orphaned by Christof. FreeBSD seems to be actively maintaining it, and the have a version that works with FP 5.0 (2002) available in their ports tree... Mandrake has built an RPM based off of the FreeBSD code. I was able to take the SRPM from Mandrake, make some edits to the spec file, and get mod_frontpage running on RH 6.2, 7.1, 7.2., and 7.3 systems from my own RPM. Works great with the official RH errata apache RPMs for each platform, as well as the 1.3.26 RPMs I've created.
So, there are solutions out there. But you'll be waiting a long time if you insist that a vendor hand them to you. :-)