Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploitable MS FrontPage Apache Installs

Posted by krow on from the slow-to-release-quick-to-exploit dept.

A reader writes:"On NewsForge, there is an interview with a system administrator looking for an officially supported FrontPage install for RedHat Linux Apache rpm to fix CERT Advisory CA-2002-17 , which has already found in the wild. According to the interview Microsoft may, at some point, release an official patch or upgrade which Apache, RedHat and others fixed long ago."

3 of 26 comments (clear)

  1. RTFCitA by Outland+Traveller · · Score: 3, Interesting

    Read The F* Comments in the Article!

    Lots of people there say that they can get apache to work with frontpage by patching their current version with the security fix instead of upgrading.

    Frontpage for Apache still officially supports RH 7.0. Not supporting anything recent isn't exactly new for them. Anyone who uses this extension has learned to fend for themselves.

    I personally would dump frontpage. I don't care if half the world uses it. Educate them. Provide them with something else that is workable. If you're going to complain that your business will go under because you don't support frontpage then run IIS and eat worms in your cake.

  2. One thing by einhverfr · · Score: 4, Insightful

    This shows me one thing (sure this might get modded down)-- Microsoft is clearly not serious about their "Trustworthy Computing" initiative. If so, this should have been fixed a LONG time ago...

    Oh wait-- that only applies to Microsoft operating systems?

    --

    LedgerSMB: Open source Accounting/ERP
  3. mod_frontpage by Marsala · · Score: 3, Informative

    Christof Pohl was actually distributing an "improved" mod_frontpage apache module. Basically, it did the same thing as the crap that MS/RTR have wedged into the actual apache binary, but it compartmentalized permissions for dealing with the subwebs through the fpexec user (kind of like suexec). I felt a lot safer, and it provided a nice solution for my customers where I could include support for FP on our servers without having to fsck up the apache binary. I have asked RTR to look into making a DSO, but it seems like the request has been ignored...

    Any rate, mod_frontpage apparently has been orphaned by Christof. FreeBSD seems to be actively maintaining it, and the have a version that works with FP 5.0 (2002) available in their ports tree... Mandrake has built an RPM based off of the FreeBSD code. I was able to take the SRPM from Mandrake, make some edits to the spec file, and get mod_frontpage running on RH 6.2, 7.1, 7.2., and 7.3 systems from my own RPM. Works great with the official RH errata apache RPMs for each platform, as well as the 1.3.26 RPMs I've created.

    So, there are solutions out there. But you'll be waiting a long time if you insist that a vendor hand them to you. :-)