Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploitable MS FrontPage Apache Installs

Posted by krow on Tuesday July 9, 2002 @08:39AM from the slow-to-release-quick-to-exploit dept.

A reader writes:"On NewsForge, there is an interview with a system administrator looking for an officially supported FrontPage install for RedHat Linux Apache rpm to fix CERT Advisory CA-2002-17 , which has already found in the wild. According to the interview Microsoft may, at some point, release an official patch or upgrade which Apache, RedHat and others fixed long ago."

1 of 26 comments (clear)

Min score:

Reason:

Sort:

mod_frontpage by Marsala · 2002-07-11 07:06 · Score: 3, Informative

Christof Pohl was actually distributing an "improved" mod_frontpage apache module. Basically, it did the same thing as the crap that MS/RTR have wedged into the actual apache binary, but it compartmentalized permissions for dealing with the subwebs through the fpexec user (kind of like suexec). I felt a lot safer, and it provided a nice solution for my customers where I could include support for FP on our servers without having to fsck up the apache binary. I have asked RTR to look into making a DSO, but it seems like the request has been ignored...

Any rate, mod_frontpage apparently has been orphaned by Christof. FreeBSD seems to be actively maintaining it, and the have a version that works with FP 5.0 (2002) available in their ports tree... Mandrake has built an RPM based off of the FreeBSD code. I was able to take the SRPM from Mandrake, make some edits to the spec file, and get mod_frontpage running on RH 6.2, 7.1, 7.2., and 7.3 systems from my own RPM. Works great with the official RH errata apache RPMs for each platform, as well as the 1.3.26 RPMs I've created.

So, there are solutions out there. But you'll be waiting a long time if you insist that a vendor hand them to you. :-)