Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploitable MS FrontPage Apache Installs

Posted by krow on from the slow-to-release-quick-to-exploit dept.

A reader writes:"On NewsForge, there is an interview with a system administrator looking for an officially supported FrontPage install for RedHat Linux Apache rpm to fix CERT Advisory CA-2002-17 , which has already found in the wild. According to the interview Microsoft may, at some point, release an official patch or upgrade which Apache, RedHat and others fixed long ago."

26 comments

  1. RTFCitA by Outland+Traveller · · Score: 3, Interesting

    Read The F* Comments in the Article!

    Lots of people there say that they can get apache to work with frontpage by patching their current version with the security fix instead of upgrading.

    Frontpage for Apache still officially supports RH 7.0. Not supporting anything recent isn't exactly new for them. Anyone who uses this extension has learned to fend for themselves.

    I personally would dump frontpage. I don't care if half the world uses it. Educate them. Provide them with something else that is workable. If you're going to complain that your business will go under because you don't support frontpage then run IIS and eat worms in your cake.

    1. Re:RTFCitA by Biggles_the_pilot · · Score: 1

      Yay! Why you only get 2 for your excellent post? Me no understand.

      --
      I have no sig
    2. Re:RTFCitA by Anonymous Coward · · Score: 0

      I personally hate running FP extensions because it supports retards and its one big kludge. But as long as there beginners who want the tools to build something with, there will be a market for this. Unfortunately, its MS providing the tools. Trying to get these people to use other tools is a lost cause. Why would they, when they can build a counter or a form mailer in 3 clicks? The downside they call my company everday wondering why theyre POS apps are always broken. You have to literally break the FP extensions just to get the server *somewhat* secure....to use the term loosly.

  2. Still no response from MS by ebuilder · · Score: 2, Interesting

    I'm still waiting to hear from Microsoft regarding that fix. We like to use officially supported software, so we don't have to be "FrontPage gurus" in order to allow some of our clients to use FrontPage. Plus, we are a Registered Web Presence Provider for Microsoft® FrontPage® version 2002 and all of that...
    -Eric

    --
    Eric C Williams E-Builders, LLC
    1. Re:Still no response from MS by Orbital+Sander · · Score: 1

      Plus, we are a Registered Web Presence Provider for Microsoft® FrontPage® version 2002 and all of that...

      Unless I'm missing a major point here, why don't you just run Frontpage on Windows NT servers and put an Apache box in front of it as reverse proxy?

      --

      What Would the Fab Five Do?
    2. Re:Still no response from MS by Anonymous Coward · · Score: 0

      It's not like the patch is megabytes long. I had no problems getting it to work with 1.3.26,mod perl and php. I used the source rpms for improved mod frontpage from mandrake and extracted out the tar file. Then I patched (patch -p0 patch_file) fixed the one chunk that didn't work (2 lines). Build from my normal build script restarted apache and went on my way.

    3. Re:Still no response from MS by ebuilder · · Score: 1

      It's not like the patch is really the problem. We are not, nor do we aspire to be FrontPage developers. We like to use MS for support for such matters. When a clients web from or webot or whatever isn't working and the standard fixes don't work, it helps to contact MS and speak with a FP developer. If you aren't running supported extensions you don't have that.

      --
      Eric C Williams E-Builders, LLC
  3. "Microsoft" on front page, "Apache" isn't... by stefanlasiewski · · Score: 2, Offtopic

    Anyone else think it's odd that this article is on the front page, but the Article describing the bug was hidden under the "Apache" section, which is not turned on by default (and thus not read by most Slashdot users?

    Anyone sense anti-Microsoft bias here? This exploit is a MAJOR problem, you can't turn a blind eye to it and expect the problem to go away.

    Fire away...

    (For the record, I love Apache, and manage it daily).

    --
    "Can of worms? The can is open... the worms are everywhere."
    1. Re:"Microsoft" on front page, "Apache" isn't... by nirvdrum · · Score: 1

      I also sense they don't like it when you mention it. Cheers to being modded down.

      --
      If there was a "-1 Not Funny", that'd be my most used mod.
  4. obligatory rant by Hoeken · · Score: 0, Troll

    ::insert microsoft sucks rant here::

    --
    Educate > Enlighten > Evolve http://www.neuroatomik.com
  5. Damn Microsoft by mfos.org · · Score: 2

    Can't they let someone have a vulnerability all to themselves?

    1. Re:Damn Microsoft by Anonymous Coward · · Score: 0

      e-mail alex@coreweb.net if you like his site -- it's a self-portrait.

  6. Is this really surprising... by quasi_steller · · Score: 2, Insightful

    ...I mean really. Microsoft is late on writing a patch for FrontPage to communicate with the Apache web server.

    Microsoft Employee #1: "Hum do you think we should write the patch yet?"
    Microsoft Employee #2: "Nah, there is no real reason to."

    --
    ...interesting if true.
  7. HAHA by roly · · Score: 0

    People actualy use the FP exts supplied by M$? LOL! I use an unoffical version of them (not ms or rtr) that runs as Apache DSO and works in ALL apache 1.3.x versions (I use it with 1.3.26).

    --
    "With Microsoft, you get Windows. With Linux, you get the full house" - unknown
  8. One thing by einhverfr · · Score: 4, Insightful

    This shows me one thing (sure this might get modded down)-- Microsoft is clearly not serious about their "Trustworthy Computing" initiative. If so, this should have been fixed a LONG time ago...

    Oh wait-- that only applies to Microsoft operating systems?

    --

    LedgerSMB: Open source Accounting/ERP
  9. Use Joshie's RPMs / SRPMs by blasiusmaximus · · Score: 1

    You can find that on Joshie's website:

    http://www.joshie.com/projects/apache-frontpage/

    Even RedHat[tm] recommends him in their FAQs.

    1. Re:Use Joshie's RPMs / SRPMs by Anonymous Coward · · Score: 0

      These are fine if you run RedHat. I use the apache source and the improved mod frontpage patch from mandrake to make my own. Works on any distribution.

  10. We get signal! by Anonymous Coward · · Score: 1, Funny

    Exploitable MS FrontPage Apache Installs

    For some reason, I'm reading that as something along the lines of, "MS is exploitable, Apache installs FrontPage."

    Man, never eat sushi for breakfast if you're going to be reading Slashdot.

    I must say, I'm shocked that there's FrontPage-Apache oddness going on. It's almost as if..

    Someone's attempting to set Apache up the bomb!

  11. in our web hosting docs by realdpk · · Score: 2

    'A quick note about FrontPage: it's fine to use FrontPage to generate your site, but when it comes to uploading the files that FrontPage generated, you'll need to use a regular FTP program. To enhance your sites' security and performance, "FrontPage extensions" are not enabled on your server.'

  12. mod_frontpage by Marsala · · Score: 3, Informative

    Christof Pohl was actually distributing an "improved" mod_frontpage apache module. Basically, it did the same thing as the crap that MS/RTR have wedged into the actual apache binary, but it compartmentalized permissions for dealing with the subwebs through the fpexec user (kind of like suexec). I felt a lot safer, and it provided a nice solution for my customers where I could include support for FP on our servers without having to fsck up the apache binary. I have asked RTR to look into making a DSO, but it seems like the request has been ignored...

    Any rate, mod_frontpage apparently has been orphaned by Christof. FreeBSD seems to be actively maintaining it, and the have a version that works with FP 5.0 (2002) available in their ports tree... Mandrake has built an RPM based off of the FreeBSD code. I was able to take the SRPM from Mandrake, make some edits to the spec file, and get mod_frontpage running on RH 6.2, 7.1, 7.2., and 7.3 systems from my own RPM. Works great with the official RH errata apache RPMs for each platform, as well as the 1.3.26 RPMs I've created.

    So, there are solutions out there. But you'll be waiting a long time if you insist that a vendor hand them to you. :-)

  13. Give me a fscking break. by Anonymous Coward · · Score: 0

    How about this. If you're too inept to figure out how to patch your frontpage apache install then maybe you should ask yourself whether you've chosen the right profession rather than bitching and moaning about having to use your fsking brain for once.