Feeds

Experts demolish MS anti-Apache FUD

Bug vs Bug Comparison Gets Readers Antsy

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Letters Re:
MS targets Linux, Mac rivals with IIS Astroturf
MS vows rewritten IIS, more patches

In response to Gartner's recommendation that businesses investigate alternatives to Microsoft's Internet Information Server, the Beast sent its sales staff a crib sheet with the theme: "all web servers are vulnerable - but some are more vulnerable others,". Several dozen of you have written to point out that Microsoft's list of vulnerabilities in Apache, PHP and MySQL misses the point.

"I am concerned along with many others with the apparently misinformed sales bulletin, sent by Microsoft to its sales force," Richard Brain of ProCheck writes. Some of the 'bugs' don't exist, and continues:-

Please read our analysis of the bulletin points below:-

2001-07-10: Apache Possible Directory Index Disclosure Vulnerability

We test for this but we have never found the exploit to work so far, we feel this is probably due to a server having directory index permissions prior to the exploit being run.

2001-07-02: Apache Tomcat Cross-Site Scripting Vulnerability

Tomcat is an add-on to Apache, not being part of the default Apache installation it cannot be described as a core service.

The attack relies on embedded malicious scripts from external links on the hosted page, it appears as if the malicious code comes from hosted page. Most web servers are susceptible to this attack.

The attack does not attack the webserver, or cause a denial of service attack.

IIS has at least two cross-site scripting vulnerabilities in its core configuration:-

2000-08-21: Microsoft IIS Cross Site Scripting .shtml Vulnerability
2000-08-21: Microsoft FrontPage/IIS Cross Site Scripting shtml.dll Vulnerability

2001-06-10: MacOS X Client Apache File Protection Bypass Vulnerability

This due to Apache running on Mac-OS and was due to the way in which the Macintosh OS HFS+ filesystem handled case sensitivity of filenames. If the Macintosh UFS file system is used which handles case properly the "bug" disappears. So the fault is not really with Apache.

It would be more a worry if this worked on a Apache mainstream Unix platform.

2001-04-12: Apache Web Server HTTP Request Denial of Service Vulnerability

This is due to resource starvation when an attacker requested certain long strings. It is known only to affect Apache running on Windows.

It would be more a worry if this worked on a Apache mainstream Unix platform.

001-03-28: Apache Tomcat 3.0 Directory Traversal Vulnerability
2001-03-28: Multiple Vendor URL JSP Request Source Code Disclosure Vulnerability

Tomcat is an add-on to Apache, and is not part of the default installation and cannot be described as a core service.

[In the first] By requesting a JSP file with special characters it is possible to read files and directories outside the webserver root.

[In the second] By appending %70 or similar to the end of a jsp file, the file is downloaded instead of run.

2001-03-13: Apache Artificially Long Slash Path Directory Listing Vulnerability

By requesting a directory with multiple '//' it was possible to view the contents.

We support this it, as it allows remote attackers to see the directory contents called the index.

THE REST

"PHP - Windows Equivalent to ASP.DLL, and PHP admin"

PHP is a cross-platform language that is also supported by Microsoft's IIS, so the PHP flaws are not specific to Apache but also to IIS and Windows!

The publishers should make their mind up, either jsp or php is equivalent to asp. We feel thay jsp and php were selected as they have a history of flaws.

I would suggest for the sake of accuracy that the cgi or pl (perl) extensions should be described as equivalent to asp, these are provided enabled as default with most Unix Apache distributions and have few published flaws.

CONCLUSION
I feel that the only valid mainstream Unix Apache flaw mentioned was Apache Artificially Long Slash Path Directory Listing Vulnerability, which was fixed early this year but was of low severity only exposing additional information. The reminder were due to add-on programs and running on non-mainstream Apache platforms.

Richard Brain
Technical Director
ProCheckUp

A reader of SecurityFocus points out that the extracts are verbatim from the site:-

You may want to compare the two:-

The Apache list

rThe PHP list

The phpMyAdmin List

Chris Vale adds:-

The CERT advisory [for the July 2 2001 Apache/Tomcat vulnerability] was issued 2000-02-03 a year and a half before Microsoft's date! It was fixed as of 1.3.12! Not only is Microsoft astroturfing but they're fudging the truth anyway.

Pascal Meunier of Purdue University has, we thought, the nicest take on the all-created-equal approach:-

"It doesn't matter what system you are running, if you don't keep up to date you will be hit."

That's not very smart. It's like saying that it doesn't matter whether you buy a Toyota Camry or a Russian Lada, because you will eventually have to service it. Excuse me, but I'd rather own the Camry, thank you very much, because the probability of trouble is lower for the Camry. Of course I need to get both cars inspected regularly. The name of the game is risk management, and every manager has the responsibility to minimize risks.

Using software of doubtful quality is irresponsible.®

Security for virtualized datacentres

More from The Register

next story
Facebook's Zuckerberg in EBOLA VIRUS FIGHT: Billionaire battles bug
US Centers for Disease Control and Prevention contacted as site supremo coughs up
Space exploration is just so lame. NEW APPS are mankind's future
We feel obliged to point out the headline statement is total, utter cobblers
Down-under record: Australian gets $140k for pussy
'Tiffany' closes deal - 'it's more common to offer your wife', says agent
Internet finally ready to replace answering machine cassette tape
It's a simple message and I'm leaving out the whistles and bells
FedEx helps deliver THOUSANDS of spam messages DIRECT to its Blighty customers
Don't worry Wilson, I'll do all the paddling. You just hang on
The iPAD launch BEFORE it happened: SPECULATIVE GUFF ahead of actual event
Nerve-shattering run-up to the pre-planned known event
Win a year’s supply of chocolate (no tech knowledge required)
Over £200 worth of the good stuff up for grabs
STONER SHEEP get the MUNCHIES after feasting on £4k worth of cannabis plants
Baaaaaa! Fanny's Farm's woolly flock is high, maaaaaan
Swiss wildlife park serves up furry residents to visitors
'It's ecological' says spokesman, now how would you like your Bambi done?
Red Bull does NOT give you wings, $13.5m lawsuit says so
Website letting consumers claim $10 cash back crashes after stampede
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.