Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Software Apache

Apache 2.0 r00ted on NetWare, Windows, OS/2 58

An anonymous reader writes "A flaw in Apache 2.0's interpretation of the backslash delimiter allows for a remote r00ting on NetWare, Windows, and OS/2. InfoWorld has an overview; the attack was discoverd by PivX's Auriemma Luigi, and he describes it in this technical document. I don't know whether there is such a thing as an OS/2 shop anymore, and most Microsoft shops probably run IIS, but Apache now ships as the default web server for NetWare 6, so Novell shops: Take note. A patch is available from Apache, and Luigi describes a workaround in his article."
This discussion has been archived. No new comments can be posted.

Apache 2.0 r00ted on NetWare, Windows, OS/2

Comments Filter:
  • Cough, another repeat. http://apache.slashdot.org/article.pl?sid=02/08/10 /0058246&mode=thread&tid=148
  • by alanjstr ( 131045 ) on Saturday September 07, 2002 @08:54PM (#4214209) Homepage
    Apache 2.0.40 was released August 9th, fixing the hole. You can read the advisory [apache.org], but you should have upgraded already. The real news is that many Apache web servers are still unpatched. Won't admin's ever learn?
    • Won't admin's ever learn?

      Learn what, how to use apostrophes? ;-)

      Seriously though, keeping on the bleeding edge of updates isn't always feasible. A lot of companies might be running third party software that is explicitly not supported unless you're running a particular version of Apache, or a particular version of the Linux kernel, C libraries, etc. (And likewise for Windows software, etc.)

      Please be generous and accept that negligence isn't the only explanation for failure to keep up with the latest patches of all the major & minor components of a modern computer system...

      • If your running the experimental version you should expect to upgrade often. It's a simple fact of beta.
      • I was kidding about admins keeping their sites updated. Once software is released it still needs to go through rigorous testing. Hopefully they have a good method for making sure that everything does work and for handling problems such as this. At least this problem is easier to fix than most IIS bugs.
  • Not Important (Score:2, Insightful)

    by clifforch ( 515800 )
    The bug only provides information about the target server, that's not a root exploit last time I checked. Also it's a repeat story

    Move along. Nothing here
  • Not too many people would have this under OS/2. I haven't seen OS/2 used by web servers (except for certain OS/2 supporter sites), but I did see it just 2 or 3 weeks at a local ATM. I only knew it was OS/2 because it was crashed, and I remember the Trap screen well from when I used it on my system.
    • I highly doubt you saw the OS/2 screen "crashed".. I've seen many an ATM left in "Admin" mode, where you can obviously tell it's OS/2,b ut can't do shit because it's expecting input from something locked up in the cabinet.. but i've never seen an OS/2 box crash. Ever.
      • ....and I was a beta tester for 3.0 and 4.0.

        Just to add some qualification to that.

        OS/2 is freaking bulletproof. It's too bad it requires 512MB ram to run slow.
        *sigh*
        • Yes, I have seen OS/2 GPF screens too.

          OS/2 did a whole lot better running on a 486 with 20 MB than Windows NT. [yes, I did this :)] It also runs quite nicely without having a paging file greater than installed memory. That is, you can run OS/2 quite nicely with a 10M swapper.dat.

          It's fairly easy to optimise: I burnt cdroms under OS/2 on my 486, using a specially modified (ie thinned out) version of OS/2 3.0,

          Also, there is a neat little program called allocmem, which unloads unused dlls in core to the swap file, giving heaps more usable ram..

      • Trust me, I DO remember what the trap screens looked like. This machine was in text mode with information about the trap. It was/still is a good operating system, but it wasn't completely bulletproof (like any other system). I would still be using it today if I didn't have to reboot into Win98 to play my favorite games (maybe either I will stop being too lazy to reboot or the project Odin will solve this one day).
      • Having worked for a handful of years in a small office that ran OS/2 on all machines, I had quite a chuckle when I walked past an ATM machine one day and immediately recognised the old "Trap D" blue screen. It happens. OS/2 is (was) pretty nice, but no OS is immune from lockups. This was in May of 1998, in the lobby of an airport in Munich.
      • I've used OS/2 for nearly 7 years, and believe me, It crashed often (but not as often as win9x though). It had some sort of problem with the message queue that usually ended up in WPS frozen.
        I also remember watching an OS/2 ATM showing a Trap e.
        • Yes, remember Stardock's Process Commander or the freeware program WatchCat? I was actually one of perhaps 1000 people that purchased Process Commander, but it actually worked. Stardock wrote a completely new keyboard driver that did not have the limitations of IBM's... Watchcat let you trigger it through a serial port and a switch, which I believe you had to make with help from your local Radio Shack.
  • by Anonymous Coward
    Goats are fun because they all have different personalities and have different little habits that can be amusing or interesting. Goats are very affectionate and especially during the summer, when they are too hot to be active, they like to just hang around people and get a good scratch. Most goats' favorite scratchy spot is around their shoulder but some even liked to be scratched in between their toes.

    It is very rewarding to see a goat you have raised from a baby grow up and have kids and grandkids of her own. With goats that doesn't have to take too long, maybe about 3 or 4 years at most, because they are able to breed when they are just a year old. It's also neat to learn how to milk or trim hooves and other things that you wouldn't ordinarily be able to do.

  • On NetWare? (Score:2, Interesting)

    by RevAaron ( 125240 )
    What is the deal with NetWare, exactly?

    The term "Apache 2.0 r00ted on NetWare" implies that NetWare is an operating system- I was under the impression NetWare ran as a bunch of services on top of Win NT or something like that. Is that the case, or does NetWare run as an OS, directly on the hardware?

    If it is the former, is there a special version of Apache that uses NetWare on top of Windows? If this is the case, I assume that it is using the IPX protocol instead of TCP/IP... what is the advantage of this? If it's not this, what is the difference? What makes Apache on NetWare different than Apache on Windows?

    Any insight would be much appreciated- :)
    • NetWare is indeed it's own operating system, complete with drivers, memory management, etc. It does require DOS to boot, but typically removes DOS from memory after starting. Newer version of NetWare support TCP/IP as well as IPX.
    • Re:On NetWare? (Score:4, Informative)

      by Dahan ( 130247 ) <khym@azeotrope.org> on Sunday September 08, 2002 @01:55AM (#4214949)
      Is that the case, or does NetWare run as an OS, directly on the hardware?

      NetWare is an operating system and has nothing to do with Windows at all. Last time I used it, it did still require you to boot into MSDOS first, but once you ran its EXE, it kicked DOS out and completely took over. It used to be the most popular network operating system, but NT has pretty much killed it. It's still around though....

      • As a historical note, Novell has been in the OS business since way back. Back around 1985, Novell sold its own custom hardware - the Novell 68B file server used a Motorola 68000 processor and ran a Novell OS called S-Net. I think, but I'm not sure, that might have been before the name NetWare was used.

        The 68000 file servers were needed in the days when PCs weren't quite powerful enough to serve large networks.

    • Not at all, Netware is it's own OS, long before the only "windows" OS, NT (later called 2000, then called XP...) was available (and no, windows 95, 98, ME are not "windows" OS's, they still use the same model as Win 3.11 (and win 2.x, win 2.x 386, etc, etc.) before, boot a basic DOS, then load the graphical shell).

      The old bindery netware (3.x generation) _has_ been ported to run as a process under a host operating system; OS/2, Linux come to mind (but never windows; perhaps you are thinking of Banyan Vines). To further confuse the issue, it was possible to have a DOS FAT partition on your server marked as primary, boot into a DOS, then run a utility (usually named "server.exe" to boot into netware. This was a popular option as it gave you an MS/PC/DR-DOS partition to run external recovery tools if something "bad" happened your Netware server. However, Netware never ran _under_ DOS. Netware 2 and higher could boot with no DOS partition whatsoever, if desired.

      ---snip
      If this is the case, I assume that it is using the IPX protocol instead of TCP/IP

      ---snip

      Nope, Apache uses TCP/IP under netware, just like other modern netware apps.

      ---snip
      What makes Apache on NetWare different than Apache on Windows?

      ---snip

      Uptime and speed (better asked as "What makes Apache on Windows different from Apache on any other OS?") :)

      Netware is an ultra-simple, text-mode only (for years anyway, somewhere along the line they added the rarely used option to run a stripped clone of X with a very simple window manager; I don't think anyone actually uses it though), quite peppy file server (with mature directory services, to boot). Netware 3.2 (the free, y2k compliant, bindery only version) for example, runs fine quite adequately on a 386 (although if anyone were to use this, I would recommend at least a 486, as then VLB/PCI becomes available for disk and network subsystems). With a small foot print, simple design, it gives great uptimes, and great speed.

      That said, I personally have not deployed Netware in years, and probably never will again.
    • It amazes me how little people know about Netware.
      It is still very relevant to todays networked world. It is fast, reliable and secure with the best directory service available in the market today (something MS has just recently realised they need with AD).
      Read what you can do with Netware, download a trial version. You will be suprised.
  • This is dead embarassing for the Apache group. Both bugs described in Luigi's article are really architectural flaws, not simply buffer overflows, or anything else that can happen to anyone, no matter how careful you are...

    The first bug was a "helpful" error message, giving you the _exact_ path of the apache installation, when asking for a file in the error-directory. This is really the kind of fault we expect from Microsoft (always trying to be more "user-friendly" then secure).

    The second bug was even worse. Apache didn't interpret '\' as a "dangerous" character in urls. And neither was \..\..\..\WINNT\system32\ looked at as especially suspicious. With all the press nimda and code red got, it wouldn't be so hard to think that Apache wouldn't do the same mistake AFTER Microsoft, but did they do... Oh, yes...

    In IIS, the final nail in the coffin when it comes to security is the fact that it runs under the privileges of SYSTEM. Anyone knows what Apache on NT/2k runs as?

    • Well, on my Win2k box Apache/2.0.40 installed itself as a '.\LocalSystem'. Which will give Apache far more rights than you'd expect. Effectively not far from root.

      I had to set up a seperate user, '.\Apache', - you'd expect Apache to create a restrictive user by default on install.

      tlhf

    • In IIS, the final nail in the coffin when it comes to security is the fact that it runs under the privileges of SYSTEM. Anyone knows what Apache on NT/2k runs as?

      Wrong. All accesses via IIS are in the context of the IUSR_ unless explicitly defined otherwise. The IUSR account has minimal permissions, although a lot of admins forget to lock down the file permissions (IUSR being a part of the Everyone group)
  • Netware 6 ships with Apache 1.3.22 and Tomcat 3.3. It is NOT vulnerable to this particular exploit. Note that some Netware 6 services also uses the Netware-Enterprise-Web-Server 5.1 from defunct Novonyx, a joint effort of Novell and Netscape.

    Now, Apache does offer a 2.x version that does also run on Netware. So, it is possible for someone to upgrade their Netware server from 1.3.22 to 2.x but, this is not how Novell ships it. Additionally, most Netware shops will take their updates only from Novell therefore, I would be surprised if there were many Apache 2.x servers running on Netware.
  • A month old repeat article is news?

    The infoworld article is a month old.

    Slashdot had it two weeks ago.

    NetWare ships with Apache 1.3.x

    Try to check your sources next time!
  • Netware 6.0 comes with Apache 1.3 out of the box. In order to install Apache 2.0, you must follow strict instructions that explicitly warn you that the 2.0 code for Netware is highly experimental:

    "Due to the fact that Apache 2.0 for NetWare has not received the same level of testing as on other platforms, the binaries for Apache 2.0 have been made available for testing purposes only. We DO NOT recommend that Apache 2.0 for NetWare be used in a production environment at this point."

    See this [apache.org] for reference.

    -bk

"The great question... which I have not been able to answer... is, `What does woman want?'" -- Sigmund Freud

Working...