Exploitable MS FrontPage Apache Installs

A reader writes:"On NewsForge, there is an interview with a system administrator looking for an officially supported FrontPage install for RedHat Linux Apache rpm to fix CERT Advisory CA-2002-17 , which has already found in the wild. According to the interview Microsoft may, at some point, release an official patch or upgrade which Apache, RedHat and others fixed long ago."

hi

[diaper_tales]

=!.d

This warrants Front Page

But the "Other" vulnerability didn't?

RTFCitA

[Outland+Traveller]

Read The F* Comments in the Article!

Lots of people there say that they can get apache to work with frontpage by patching their current version with the security fix instead of upgrading.

Frontpage for Apache still officially supports RH 7.0. Not supporting anything recent isn't exactly new for them. Anyone who uses this extension has learned to fend for themselves.

I personally would dump frontpage. I don't care if half the world uses it. Educate them. Provide them with something else that is workable. If you're going to complain that your business will go under because you don't support frontpage then run IIS and eat worms in your cake.

Re:RTFCitA

[Biggles_the_pilot]

Yay! Why you only get 2 for your excellent post? Me no understand.

Re:RTFCitA

I personally hate running FP extensions because it supports retards and its one big kludge. But as long as there beginners who want the tools to build something with, there will be a market for this. Unfortunately, its MS providing the tools. Trying to get these people to use other tools is a lost cause. Why would they, when they can build a counter or a form mailer in 3 clicks? The downside they call my company everday wondering why theyre POS apps are always broken. You have to literally break the FP extensions just to get the server *somewhat* secure....to use the term loosly.

My favorite things by poopbot

Credits: on by

crapfloods and trolling and raping small kittens
nice wider pages and wanking with mittens
turd report packages tied up with strings
these are a few of my favorite things

grits covered portman and ASCII art doodles
ACs and CLITers and Katz sex with poodles
wild trolls that fly with plus five mod scoring
these are a few of my favorite things

when the ban hits, when I can't post, when I'm feeling sad
i simply remember my favorite things
then i don't feel so bad

Rob Malda chugs penis in fan fiction slashes
taco snot over my nose and eyelashes
BSD dying and that goatse ring
these are a few of my favorite things

grits covered portman and ASCII art doodles
ACs and CLITers and Katz sex with poodles
wild trolls that fly with plus five mod scoring
these are a few of my favorite things

when the ban hits, when I can't post when, I'm feeling sad
i simply remember my favorite things
then i don't feel so bad

- poopbot: because even your grandmother can use lunix

Still no response from MS

[ebuilder]

I'm still waiting to hear from Microsoft regarding that fix. We like to use officially supported software, so we don't have to be "FrontPage gurus" in order to allow some of our clients to use FrontPage. Plus, we are a Registered Web Presence Provider for Microsoft® FrontPage® version 2002 and all of that...
-Eric

Re:Still no response from MS

[Orbital+Sander]

Plus, we are a Registered Web Presence Provider for Microsoft® FrontPage® version 2002 and all of that...

Unless I'm missing a major point here, why don't you just run Frontpage on Windows NT servers and put an Apache box in front of it as reverse proxy?

Re:Still no response from MS

It's not like the patch is megabytes long. I had no problems getting it to work with 1.3.26,mod perl and php. I used the source rpms for improved mod frontpage from mandrake and extracted out the tar file. Then I patched (patch -p0 patch_file) fixed the one chunk that didn't work (2 lines). Build from my normal build script restarted apache and went on my way.

Re:Still no response from MS

[ebuilder]

It's not like the patch is really the problem. We are not, nor do we aspire to be FrontPage developers. We like to use MS for support for such matters. When a clients web from or webot or whatever isn't working and the standard fixes don't work, it helps to contact MS and speak with a FP developer. If you aren't running supported extensions you don't have that.

"Microsoft" on front page, "Apache" isn't...

[stefanlasiewski]

Anyone else think it's odd that this article is on the front page, but the Article describing the bug was hidden under the "Apache" section, which is not turned on by default (and thus not read by most Slashdot users?

Anyone sense anti-Microsoft bias here? This exploit is a MAJOR problem, you can't turn a blind eye to it and expect the problem to go away.

Fire away...

(For the record, I love Apache, and manage it daily).

Re:"Microsoft" on front page, "Apache" isn't...

[nirvdrum]

I also sense they don't like it when you mention it. Cheers to being modded down.

obligatory rant

[Hoeken]

::insert microsoft sucks rant here::

Damn Microsoft

[mfos.org]

Can't they let someone have a vulnerability all to themselves?

Re:Damn Microsoft

[TheSpoogeAwards]

Linux has a very severe flaw: It was programmed with a hidden ass-suckage macro, meant to be accessible only to the developer. However, due to the open source nature of the OS, it was programmed sloppily and this feature is set to be on by default.

Re:Damn Microsoft

e-mail alex@coreweb.net if you like his site -- it's a self-portrait.

Is this really surprising...

[quasi_steller]

...I mean really. Microsoft is late on writing a patch for FrontPage to communicate with the Apache web server.

Microsoft Employee #1: "Hum do you think we should write the patch yet?"
Microsoft Employee #2: "Nah, there is no real reason to."

HAHA

[roly]

People actualy use the FP exts supplied by M$? LOL! I use an unoffical version of them (not ms or rtr) that runs as Apache DSO and works in ALL apache 1.3.x versions (I use it with 1.3.26).

One thing

[einhverfr]

This shows me one thing (sure this might get modded down)-- Microsoft is clearly not serious about their "Trustworthy Computing" initiative. If so, this should have been fixed a LONG time ago...

Oh wait-- that only applies to Microsoft operating systems?

Use Joshie's RPMs / SRPMs

[blasiusmaximus]

You can find that on Joshie's website:

http://www.joshie.com/projects/apache-frontpage/

Even RedHat[tm] recommends him in their FAQs.

Re:Use Joshie's RPMs / SRPMs

These are fine if you run RedHat. I use the apache source and the improved mod frontpage patch from mandrake to make my own. Works on any distribution.

We get signal!

Exploitable MS FrontPage Apache Installs

For some reason, I'm reading that as something along the lines of, "MS is exploitable, Apache installs FrontPage."

Man, never eat sushi for breakfast if you're going to be reading Slashdot.

I must say, I'm shocked that there's FrontPage-Apache oddness going on. It's almost as if..

Someone's attempting to set Apache up the bomb!

in our web hosting docs

[realdpk]

'A quick note about FrontPage: it's fine to use FrontPage to generate your site, but when it comes to uploading the files that FrontPage generated, you'll need to use a regular FTP program. To enhance your sites' security and performance, "FrontPage extensions" are not enabled on your server.'

mod_frontpage

[Marsala]

Christof Pohl was actually distributing an "improved" mod_frontpage apache module. Basically, it did the same thing as the crap that MS/RTR have wedged into the actual apache binary, but it compartmentalized permissions for dealing with the subwebs through the fpexec user (kind of like suexec). I felt a lot safer, and it provided a nice solution for my customers where I could include support for FP on our servers without having to fsck up the apache binary. I have asked RTR to look into making a DSO, but it seems like the request has been ignored...

Any rate, mod_frontpage apparently has been orphaned by Christof. FreeBSD seems to be actively maintaining it, and the have a version that works with FP 5.0 (2002) available in their ports tree... Mandrake has built an RPM based off of the FreeBSD code. I was able to take the SRPM from Mandrake, make some edits to the spec file, and get mod_frontpage running on RH 6.2, 7.1, 7.2., and 7.3 systems from my own RPM. Works great with the official RH errata apache RPMs for each platform, as well as the 1.3.26 RPMs I've created.

So, there are solutions out there. But you'll be waiting a long time if you insist that a vendor hand them to you. :-)

Remember that budget surplus tax refund?

[george+fuckhead+bush]

We were just kidding. Dick and Laura and Conoleeza and I would all like for you to just send that $300 right back. Cash is fine, or personal checks made out to me are also ok. Please use FedEx because I don't want to get anthrax from anything that's been in the US Mail.

and hurry up! I could really use the money- Dick and I are both going to jail if we can't hire us some good lawyers.

Good night, and God bless.

Give me a fscking break.

How about this. If you're too inept to figure out how to patch your frontpage apache install then maybe you should ask yourself whether you've chosen the right profession rather than bitching and moaning about having to use your fsking brain for once.