Feeds

Experts demolish MS anti-Apache FUD

Bug vs Bug Comparison Gets Readers Antsy

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

Letters Re:
MS targets Linux, Mac rivals with IIS Astroturf
MS vows rewritten IIS, more patches

In response to Gartner's recommendation that businesses investigate alternatives to Microsoft's Internet Information Server, the Beast sent its sales staff a crib sheet with the theme: "all web servers are vulnerable - but some are more vulnerable others,". Several dozen of you have written to point out that Microsoft's list of vulnerabilities in Apache, PHP and MySQL misses the point.

"I am concerned along with many others with the apparently misinformed sales bulletin, sent by Microsoft to its sales force," Richard Brain of ProCheck writes. Some of the 'bugs' don't exist, and continues:-

Please read our analysis of the bulletin points below:-

2001-07-10: Apache Possible Directory Index Disclosure Vulnerability

We test for this but we have never found the exploit to work so far, we feel this is probably due to a server having directory index permissions prior to the exploit being run.

2001-07-02: Apache Tomcat Cross-Site Scripting Vulnerability

Tomcat is an add-on to Apache, not being part of the default Apache installation it cannot be described as a core service.

The attack relies on embedded malicious scripts from external links on the hosted page, it appears as if the malicious code comes from hosted page. Most web servers are susceptible to this attack.

The attack does not attack the webserver, or cause a denial of service attack.

IIS has at least two cross-site scripting vulnerabilities in its core configuration:-

2000-08-21: Microsoft IIS Cross Site Scripting .shtml Vulnerability
2000-08-21: Microsoft FrontPage/IIS Cross Site Scripting shtml.dll Vulnerability

2001-06-10: MacOS X Client Apache File Protection Bypass Vulnerability

This due to Apache running on Mac-OS and was due to the way in which the Macintosh OS HFS+ filesystem handled case sensitivity of filenames. If the Macintosh UFS file system is used which handles case properly the "bug" disappears. So the fault is not really with Apache.

It would be more a worry if this worked on a Apache mainstream Unix platform.

2001-04-12: Apache Web Server HTTP Request Denial of Service Vulnerability

This is due to resource starvation when an attacker requested certain long strings. It is known only to affect Apache running on Windows.

It would be more a worry if this worked on a Apache mainstream Unix platform.

001-03-28: Apache Tomcat 3.0 Directory Traversal Vulnerability
2001-03-28: Multiple Vendor URL JSP Request Source Code Disclosure Vulnerability

Tomcat is an add-on to Apache, and is not part of the default installation and cannot be described as a core service.

[In the first] By requesting a JSP file with special characters it is possible to read files and directories outside the webserver root.

[In the second] By appending %70 or similar to the end of a jsp file, the file is downloaded instead of run.

2001-03-13: Apache Artificially Long Slash Path Directory Listing Vulnerability

By requesting a directory with multiple '//' it was possible to view the contents.

We support this it, as it allows remote attackers to see the directory contents called the index.

THE REST

"PHP - Windows Equivalent to ASP.DLL, and PHP admin"

PHP is a cross-platform language that is also supported by Microsoft's IIS, so the PHP flaws are not specific to Apache but also to IIS and Windows!

The publishers should make their mind up, either jsp or php is equivalent to asp. We feel thay jsp and php were selected as they have a history of flaws.

I would suggest for the sake of accuracy that the cgi or pl (perl) extensions should be described as equivalent to asp, these are provided enabled as default with most Unix Apache distributions and have few published flaws.

CONCLUSION
I feel that the only valid mainstream Unix Apache flaw mentioned was Apache Artificially Long Slash Path Directory Listing Vulnerability, which was fixed early this year but was of low severity only exposing additional information. The reminder were due to add-on programs and running on non-mainstream Apache platforms.

Richard Brain
Technical Director
ProCheckUp

A reader of SecurityFocus points out that the extracts are verbatim from the site:-

You may want to compare the two:-

The Apache list

rThe PHP list

The phpMyAdmin List

Chris Vale adds:-

The CERT advisory [for the July 2 2001 Apache/Tomcat vulnerability] was issued 2000-02-03 a year and a half before Microsoft's date! It was fixed as of 1.3.12! Not only is Microsoft astroturfing but they're fudging the truth anyway.

Pascal Meunier of Purdue University has, we thought, the nicest take on the all-created-equal approach:-

"It doesn't matter what system you are running, if you don't keep up to date you will be hit."

That's not very smart. It's like saying that it doesn't matter whether you buy a Toyota Camry or a Russian Lada, because you will eventually have to service it. Excuse me, but I'd rather own the Camry, thank you very much, because the probability of trouble is lower for the Camry. Of course I need to get both cars inspected regularly. The name of the game is risk management, and every manager has the responsibility to minimize risks.

Using software of doubtful quality is irresponsible.®

Build a business case: developing custom apps

More from The Register

next story
Drunkards warned: If you can't walk in a straight line, don't shop online, you fool!
Put it away boys. Cover them up ladies. Your credit cards, we mean
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
Murder accused DIDN'T ask Siri 'how to hide my roommate'
US court hears of cached browser image - not actual request
Cops baffled by riddle of CHICKEN who crossed ROAD
'Officers were unable to determine Chicken's intent'
Why your mum was WRONG about whiffy tattooed people
They're a future source of RENEWABLE ENERGY
Chomp that sausage: Brits just LOVE scoffing a Full Monty
Sales of traditional brekkie foods soar as hungry folk get their mitts greasy
Nuts to your poncey hipster coffees, I want a TESLA ELECTRO-CAFE
Examining the frothy disconnect in indie cafe culture
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?