Experts demolish MS anti-Apache FUD

Bug vs Bug Comparison Gets Readers Antsy

Letters Re:
MS targets Linux, Mac rivals with IIS Astroturf
MS vows rewritten IIS, more patches

In response to Gartner's recommendation that businesses investigate alternatives to Microsoft's Internet Information Server, the Beast sent its sales staff a crib sheet with the theme: "all web servers are vulnerable - but some are more vulnerable others,". Several dozen of you have written to point out that Microsoft's list of vulnerabilities in Apache, PHP and MySQL misses the point.

"I am concerned along with many others with the apparently misinformed sales bulletin, sent by Microsoft to its sales force," Richard Brain of ProCheck writes. Some of the 'bugs' don't exist, and continues:-

Please read our analysis of the bulletin points below:-

2001-07-10: Apache Possible Directory Index Disclosure Vulnerability

We test for this but we have never found the exploit to work so far, we feel this is probably due to a server having directory index permissions prior to the exploit being run.

2001-07-02: Apache Tomcat Cross-Site Scripting Vulnerability

Tomcat is an add-on to Apache, not being part of the default Apache installation it cannot be described as a core service.

The attack relies on embedded malicious scripts from external links on the hosted page, it appears as if the malicious code comes from hosted page. Most web servers are susceptible to this attack.

The attack does not attack the webserver, or cause a denial of service attack.

IIS has at least two cross-site scripting vulnerabilities in its core configuration:-

2000-08-21: Microsoft IIS Cross Site Scripting .shtml Vulnerability
2000-08-21: Microsoft FrontPage/IIS Cross Site Scripting shtml.dll Vulnerability

2001-06-10: MacOS X Client Apache File Protection Bypass Vulnerability

This due to Apache running on Mac-OS and was due to the way in which the Macintosh OS HFS+ filesystem handled case sensitivity of filenames. If the Macintosh UFS file system is used which handles case properly the "bug" disappears. So the fault is not really with Apache.

It would be more a worry if this worked on a Apache mainstream Unix platform.

2001-04-12: Apache Web Server HTTP Request Denial of Service Vulnerability

This is due to resource starvation when an attacker requested certain long strings. It is known only to affect Apache running on Windows.

It would be more a worry if this worked on a Apache mainstream Unix platform.

001-03-28: Apache Tomcat 3.0 Directory Traversal Vulnerability
2001-03-28: Multiple Vendor URL JSP Request Source Code Disclosure Vulnerability

Tomcat is an add-on to Apache, and is not part of the default installation and cannot be described as a core service.

[In the first] By requesting a JSP file with special characters it is possible to read files and directories outside the webserver root.

[In the second] By appending %70 or similar to the end of a jsp file, the file is downloaded instead of run.

2001-03-13: Apache Artificially Long Slash Path Directory Listing Vulnerability

By requesting a directory with multiple '//' it was possible to view the contents.

We support this it, as it allows remote attackers to see the directory contents called the index.

THE REST

"PHP - Windows Equivalent to ASP.DLL, and PHP admin"

PHP is a cross-platform language that is also supported by Microsoft's IIS, so the PHP flaws are not specific to Apache but also to IIS and Windows!

The publishers should make their mind up, either jsp or php is equivalent to asp. We feel thay jsp and php were selected as they have a history of flaws.

I would suggest for the sake of accuracy that the cgi or pl (perl) extensions should be described as equivalent to asp, these are provided enabled as default with most Unix Apache distributions and have few published flaws.

CONCLUSION
I feel that the only valid mainstream Unix Apache flaw mentioned was Apache Artificially Long Slash Path Directory Listing Vulnerability, which was fixed early this year but was of low severity only exposing additional information. The reminder were due to add-on programs and running on non-mainstream Apache platforms.

Richard Brain
Technical Director
ProCheckUp

A reader of SecurityFocus points out that the extracts are verbatim from the site:-

You may want to compare the two:-

The Apache list

rThe PHP list

The phpMyAdmin List

Chris Vale adds:-

The CERT advisory [for the July 2 2001 Apache/Tomcat vulnerability] was issued 2000-02-03 a year and a half before Microsoft's date! It was fixed as of 1.3.12! Not only is Microsoft astroturfing but they're fudging the truth anyway.

Pascal Meunier of Purdue University has, we thought, the nicest take on the all-created-equal approach:-

"It doesn't matter what system you are running, if you don't keep up to date you will be hit."

That's not very smart. It's like saying that it doesn't matter whether you buy a Toyota Camry or a Russian Lada, because you will eventually have to service it. Excuse me, but I'd rather own the Camry, thank you very much, because the probability of trouble is lower for the Camry. Of course I need to get both cars inspected regularly. The name of the game is risk management, and every manager has the responsibility to minimize risks.

Using software of doubtful quality is irresponsible.®

Sponsored: Network DDoS protection