×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Serious Apache Exploit Discovered

Soulskill posted more than 4 years ago | from the time-to-update dept.

Bug 160

bennyboy64 writes "An IT security company has discovered a serious exploit in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache's core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit." Note: according to the advisory, this exploit is exclusive to Windows.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

160 comments

NO EXPLOIT HERE (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31400072)

First post fuckers!

Note: Apache ON WINDOWS (-1, Troll)

Rogerborg (306625) | more than 4 years ago | (#31400102)

Amazing; usually we're all about the M$ bashing.

Re:Note: Apache ON WINDOWS (4, Informative)

TheRaven64 (641858) | more than 4 years ago | (#31400294)

MS bashing isn't really appropriate here. The module only runs on Windows (although there were some efforts to make it call out into WINE so you could run ISAPI modules on *NIX), but the vulnerability is entirely Apache's fault. It isn't doing any privilege separation or exploit mitigation, and it's running code at the highest possible privilege level, which makes this bug into a serious exploit. The same bug in a module that ran on Linux would result in a remote root exploit.

Re:Note: Apache ON WINDOWS (5, Insightful)

jedidiah (1196) | more than 4 years ago | (#31400338)

> The same bug in a module that ran on Linux would result in a remote root exploit.

Really?

      ps -aef | grep apach

      root 3029 1 0 08:10 ? 00:00:00 /usr/sbin/apache2 -k start
      www-data 3072 3029 0 08:10 ? 00:00:00 /usr/sbin/apache2 -k start
      www-data 3073 3029 0 08:10 ? 00:00:00 /usr/sbin/apache2 -k start

Re:Note: Apache ON WINDOWS (0)

Anonymous Coward | more than 4 years ago | (#31400590)

its an irrelevant point anyways if the server is a dedicated webserver; which 99% of all websites are hosted on these days

Re:Note: Apache ON WINDOWS (2, Insightful)

kabloom (755503) | more than 4 years ago | (#31400656)

You can still have undesirable security issues on dedicate web hosting servers, for three reasons. One: a remote root exploit allows the intruder to replace all of the data on your site with whatever malware/adware they feel like, or even post content to slander you. Two: they can still turn your web server into a spambot, something which is undesirable (or use it as a starting point for whatever other malicious attacks they feel like.)

Re:Note: Apache ON WINDOWS (4, Insightful)

jedidiah (1196) | more than 4 years ago | (#31400732)

It doesn't matter if "its just as bad". It isn't a "root exploit". It's highly inaccurate to call it one.

Muddling terms is how you end up with nonsense like not being able to tell programs from data.

Distinctions are important for just this reason.

Yes it still sucks.

Re:Note: Apache ON WINDOWS (1)

kabloom (755503) | more than 4 years ago | (#31400854)

A root exploit means that the attacker has complete control over the machine. It doesn't matter how important the system is or what they do with it. I just wanted to point out that an attacker who gets root over a dedicated webserver can still do undesirable things with it (in contrast to my parent poster who said that having root over a dedicated web server is no big deal). I'm not blurring distinctions

Re:Note: Apache ON WINDOWS (2, Funny)

1s44c (552956) | more than 4 years ago | (#31401040)

Muddling terms is how you end up with nonsense like not being able to tell programs from data.

But windows admins can't tell data from programs. They put both under c:\program files

Re:Note: Apache ON WINDOWS (1)

RulerOf (975607) | more than 4 years ago | (#31401982)

I was tempted to mod flamebait, but I had to say that Admins don't put data inside of Program Files.

Idiotic programmers put data inside of Program Files.

Admins put data in AppData, a directory in the application user's home/profile folder, where it belongs.

Re:Note: Apache ON WINDOWS (2, Informative)

raju1kabir (251972) | more than 4 years ago | (#31400962)

Whoosh. The output in the posting to which you replied was demonstrating that it's not a root exploit, it's an exploit of the account 'www-data'.

On web servers I run, all executable code (apache, log rotator, etc.) is on a partition mounted readonly and nosuid. Data is on a partition mounted noexec. Nothing in the file system outside of /tmp is writable by www-data. So compromising that account gets you very little. You can't run code (except in the web server's scripting context, which doesn't get you any farther than you were when you compromised it - and doesn't get you any closer to running code as root), you can't change files. All you can hope to do is mess with the database; basically the same as what you could do if you found a hole in the site scripts.

Re:Note: Apache ON WINDOWS (2, Insightful)

Bert64 (520050) | more than 4 years ago | (#31401162)

Dedicated webservers are actually far more attractive targets to attackers, they are likely to have a lot more upstream bandwidth available to them than a typical end user making them ideal for spam, ddos, and scanning for other machines to infect, or they could merely reuse the existing webserver as a delivery mechanism for malware or phishing sites.

Re:Note: Apache ON WINDOWS (2, Insightful)

Sleepy (4551) | more than 4 years ago | (#31400846)

99% huh? Bullshit.

I would be skeptical of any claim that even a "majority" of such websites were based on Windows. For a hosting provider, the extra hardware cost AND still lower performance of Windows just isn't worth it. Toss in higher licensing fees and a "pray to the black box" method of support, and you have yourself a losing business.

Now it's true that a SLIGHT majority of *parked/empty domains* might resolve to Windows webservers. I think that's what you meant, but spinning it the way you have done is... well, incredibly dishonest of you.

Re:Note: Apache ON WINDOWS (1)

twidarkling (1537077) | more than 4 years ago | (#31401140)

I think you misread the post. They're not saying that 99% of web sites are on Windows webservers, they're saying that 99% of websites are on webservers. Full stop. Rather than home machines, or dual purposed boxes.

Of course, with that cleared up, I'm still not sure what their point is. If a webserver's running Windows, and their copy of Apache gets hit with this exploit, it's still gonna fuck some shit up.

Re:Note: Apache ON WINDOWS (1)

JonStewartMill (1463117) | more than 4 years ago | (#31401262)

Wait, what? The way I read that post, it says that "99% of Apache web sites are hosted on dedicated servers." It doesn't say anything about them being Windows.

Re:Note: Apache ON WINDOWS (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31400880)

You can do the same sort of thing in windows. THAT the *DEFAULT* install of Apache is a admin user...

You can set who the launching user is of any service to be that of a lower user. *NOW* is the application capable of running like that? In this case probably. Many are not.

You can really really really really slice and dice how applications run on windows. In many ways it is better than the unix world. The downside is it is super super super complex. So no one uses it and just maxes out everything. In many ways the security model in windows is more interesting one (with nearly 18 different ways to control just files vs the 3 in linux).

The truth is no one really uses it and the underpinnings can be yanked out from the application because of other bad design decisions. The reason for this is that it is complex. 18 different flavors of file security vs 3. 3 is easier to remember. Even the cacls program (from xp) does not present the whole security model available. You can get at more thru the gui. The icacls program from vista and up can do more. This makes the system way more vulnerable to things as everyone just maxes it out so they do not have to fiddle with it. I cant really blame them as I do it too.

Now I did not read the article. But can you root the box if it is not running as a 'admin' type user?

But this really comes down to are you running the application as some sort of super user? Then your attack surface is at least equal to whatever that super user can do. Even in linux they know this. Hence your post of how the app trampolines itself into a lower class user. That this is not done in the windows version says something about the windows port now doesnt it?

Re:Note: Apache ON WINDOWS (2, Interesting)

nobodylocalhost (1343981) | more than 4 years ago | (#31401200)

Apache has to run as root at some point or else it can't bind to port 80. What you see from ps is after apache had setuid and forked. You can do the same thing in windows, but don't you agree it falls upon apache to do spawn processes as an unprivileged user? If you remember back in Apache 1 days, it was the same way in Linux, you had to run as root or load it as a plugin for inetd if you wanted to run it on port 80. I remember back in the days when we were using ipfwadm to forward all packets with server port 80 dest to port 8080 just so we could run Apache as a regular user. And even then it didn't work right all the time. In this specific case, I really don't see any reason to blame the OS.

Re:Note: Apache ON WINDOWS (3, Informative)

petermgreen (876956) | more than 4 years ago | (#31400536)

Apache on linux (at least in all the setups i've seen) starts as root so it can bind port 80 but then switches down to a lower privilage user to do the actual serving. Some damage could still be done of course but hopefully it's limited compared to the damage root can do.

Apache on windows defaults to running as "localsystem" (roughly the windows equivilent of root)

You can run it as another user but apparently ( http://httpd.apache.org/docs/2.0/platform/windows.html [apache.org] ) that user has to have "Act as part of the operating system" privilages. MS describes said privilages as "This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.".

So it seems either way to run Apache on windows you have to give it what ammounts to root privilages.

Re:Note: Apache ON WINDOWS (3, Informative)

the eric conspiracy (20178) | more than 4 years ago | (#31400550)

MS bashing isn't really appropriate here.

You must either be new here or have a very short memory.

The same bug in a module that ran on Linux would result in a remote root exploit.

Apache does not normally run as root on Linux. Only on Windows.

Re:Note: Apache ON WINDOWS (0)

Anonymous Coward | more than 4 years ago | (#31400724)

thanks for pointing that out 30 minutes after the guy directly above you already had.

Re:Note: Apache ON WINDOWS (2, Interesting)

Malc (1751) | more than 4 years ago | (#31400838)

Why would Apache run as an Administrator on Windows? Even IIS doesn't do that these days.

Re:Note: Apache ON WINDOWS (3, Insightful)

wastedlife (1319259) | more than 4 years ago | (#31402268)

Apache does not run as Administrator on Windows. I'm afraid it is worse than that, it runs as LocalSystem, which is more analogous to root than Administrator is. Even if you configure the service to run as a different account, it requires the "Log on as a service" and "Act as part of the operating system" privileges. Might as well use LocalSystem.

Re:Note: Apache ON WINDOWS (1)

jim_v2000 (818799) | more than 4 years ago | (#31402002)

Apache doesn't run under the admin account in Windows unless you've configured it that way.

Re:Note: Apache ON WINDOWS (1)

1s44c (552956) | more than 4 years ago | (#31401018)

The same bug in a module that ran on Linux would result in a remote root exploit.

It would not. By default apache runs as root to bind port 80 and/or 443, then it changes to an unprivileged user.

Why on earth anyone would want to run apache on windows is beyond me but it seems people do.

Re:Note: Apache ON WINDOWS (1)

mevets (322601) | more than 4 years ago | (#31402508)

There is an interesting note at security focus http://www.securityfocus.com/infocus/1765 [securityfocus.com] about how IIS is implemented securely by requiring kernel dll's to perform the heavy lifting. Kernel dll's, from what I understand, setup a shared state [ie. lump of memory ] between the application and the kernel for the given API.

After the foreplay is over, the application's privilege is lowered, however it still has that lump of shared memory that the kernel will rely on. It seems from the parent article about this exploit, that some jump table is being relied upon in the kernel that the app has done a poor job of cleaning up. Bad app! Worse Kernel!

Strangely, security focus seems to think this is an example of least privilege. This interface design is what has made windows so hard to lock down; and is what calls BS on the apologists. Although UNICES often have glaring holes in, for example, ioctl services, I've never seen one that was stupid as to callback into the application....

Re:Note: Apache ON WINDOWS (0)

Anonymous Coward | more than 4 years ago | (#31400382)

Amazing; usually we're all about the M$ bashing.

Yeah, but not even Slashdot's rabid MS bashers could spin this story to be Microsoft's fault, so I guess there was no point in mentioning it.

Whose fault...? (2, Funny)

argent (18001) | more than 4 years ago | (#31400538)

I don't know whose fault it is but the idea of running ISS plugins under Apache on Windows scares me. Whose fault is it when you run naked through the "hot" ward snogging the e-bola patients? It's ironic that you end up getting sick because the pretty nurse you kissed had mono, but ... good lord, people...

Re:Note: Apache ON WINDOWS (1, Flamebait)

mcgrew (92797) | more than 4 years ago | (#31400392)

Discussing exploits isn't "bashing".

However, in regards to MS (and we're close to being offtopic here) when was the last time you heard about an Apache vuln? Apache is relatively solid.

My problems with MS, however, are philosophical. MS seems to revel in giving the finger to standards, from the backslash to everything else. They brag about useability testing, but it almost seems like they take a group of children and mentally handicapped adults and flipping the bird to everyone else. E.g., I bought a netbook last week and tried to get on the internet with it at my favorite bar; the bar's router had something wrong with it and Windows couldn't find the DNS server. There seemed to be no way to tell Windows networking what the server address was. Meanwhile, a woman with an iPhone had no trouble using the wifi there. With earlier versions of Windows I had no trouble specifying a DNS server, and the help system is no help at all.

If I decide to run a server, it will be Apache on Linux.

I think it's funny that Apache got its neame from the earlier releases, it was a patchy server. Lots fewer patches these days!

Re:Note: Apache ON WINDOWS (2, Interesting)

Culture20 (968837) | more than 4 years ago | (#31400932)

I bought a netbook last week and tried to get on the internet with it at my favorite bar; the bar's router had something wrong with it and Windows couldn't find the DNS server. There seemed to be no way to tell Windows networking what the server address was. Meanwhile, a woman with an iPhone had no trouble using the wifi there. With earlier versions of Windows I had no trouble specifying a DNS server, and the help system is no help at all.

I'm more familiar with XP (which I know you can easily specify DNS with). Was this a Windows 7 Reduced Functionality for Netbooks (TM) version? I've noticed annoying things like that on my parents' computers. The worst is that "Users and Groups" is gone in the Computer Management MMC, so those tasks have to be done via command line. Windows 7 Enterprise is better than XP (wow, remote _and_ local IP settings and outgoing/incoming rules for Firewall? finally.), but the "home" versions are crippled in ways that make security difficult.

Re:Note: Apache ON WINDOWS (3, Informative)

Gadget_Guy (627405) | more than 4 years ago | (#31400958)

However, in regards to MS (and we're close to being offtopic here) when was the last time you heard about an Apache vuln? Apache is relatively solid

Both Apache and IIS are pretty secure, although I have no idea why you would run Apache on a Windows server.

My problems with MS, however, are philosophical. MS seems to revel in giving the finger to standards, from the backslash to everything else.

Oh dear, you didn't just claim that the forward slash was a standard, did you? MS-DOS 1 used the same conventions as CP/M and VMS for command line arguments: forward slash. When DOS 2.0 added directories, but they had to use backslash to prevent backwards compatibility problems. They couldn't use the Apple Mac's colon separator because they already used that for drive letters, and nobody wanted to be anything like VMS's square brackets []. (See, there really was no standard)

However, they did actually implement the paths using both / and \. You could change an environment variable to set the argument prefix. Then you could happily use "cd /DOS". Even today, both symbols work. You can try:

notepad c:\autoexec.bat
notepad c:/autoexec.bat

The only time where / doesn't work is when it may be interpreted as a command line option. So "cd /Windows" doesn't work, but "cd ./Windows" does work. The point is that there was no standard for directory separators because every operating system did things their own way. And even if they did differ, there was a valid reason to do so. It was not just "giving the finger to standards". There are examples of them not using standards, like the Outlook-Exchange interface (although they probably would have had to extend the interface to get it to work using the standards so there may have been no point).

As for your DNS story, of course Windows can set the DNS manually. Don't ask me to tell you where you set it, because they keep moving around the network configuration with every version of Windows. That really pisses me off. Every upgrade of Windows since Windows for Workgroups 3.11 has made networking harder. I don't know why they have to keep fiddling!

Re:Note: Apache ON WINDOWS (2, Insightful)

NetCow (117556) | more than 4 years ago | (#31402216)

although I have no idea why you would run Apache on a Windows server.

Because sometimes you're forced to use a Windows server platform yet at the same time are under budget constraints and can't afford Microsoft's licensing models.

Re:Note: Apache ON WINDOWS (0)

Anonymous Coward | more than 4 years ago | (#31402498)

when was the last time you heard about an Apache vuln?

You don't hear about them around here, but if you go to Secunia you will see that, in the last six years, Apache vulns have been much more abundant than IIS vulns.

Re:Note: Apache ON WINDOWS (2, Interesting)

Vectormatic (1759674) | more than 4 years ago | (#31400418)

PFew... for a second i was worried wether my centos VPS with tomcat (apache based, you never know), would be vulnerable to this Thanks for putting my mind at ease :)

Windows? (2, Insightful)

jspenguin1 (883588) | more than 4 years ago | (#31400106)

What percentage of Apache hosts run on Windows? I'd guess maybe 10%, a generous estimate. This isn't something that's going to bring the entire web down. Also, wouldn't you have to enable mod_isapi manually?

Re:Windows? (2, Informative)

Bright Apollo (988736) | more than 4 years ago | (#31400564)

Your guess would be wrong. Apache is the core webserver for lots of application servers; i.e. you're getting Apache every time you install Oracle IAS or WebSphere. Dunno about WebLogic but I'd guess that applies as well. Your 10% goes up, way up.

--#

Re:Windows? (1)

Alex Belits (437) | more than 4 years ago | (#31401868)

And who in his right mind would run those on Windows?

Re:Windows? (1)

jjohnson (62583) | more than 4 years ago | (#31402372)

Any company that's a Microsoft shop, which includes a really large number of Fortune 500 companies. That's why Oracle and IBM offer those products on Windows.

Windows only (5, Informative)

Albanach (527650) | more than 4 years ago | (#31400118)

This would have been useful in the summary. From the linked page:

Platform. Microsoft Windows

Details.
The Apache HTTP Server, commonly referred to as Apache, is a
popular open source web server software. mod_isapi is a core
module of the Apache package that implements the Internet Server
extension API. The extension allows Apache to serve Internet
Server extensions (ISAPI .dll modules) for Microsoft Windows
based hosts.

While I'm sure it will impact many people, I'd still imagine the majority of Apache users are running it on a platform other than Windows

Re:Windows only (1)

data64 (300466) | more than 4 years ago | (#31400274)

mod_isapi is a core module of the Apache package that implements the Internet Server extension API. The extension allows Apache to serve Internet Server extensions (ISAPI .dll modules) for Microsoft Windows based hosts.

So are you only vulnerable if you use ISAPI ? It does look like that module is enabled by default though. I wonder why ?

Re:Windows only (3, Informative)

kunakida (886654) | more than 4 years ago | (#31400560)

So are you only vulnerable if you use ISAPI ? It does look like that module is enabled by default though. I wonder why ?

Actually, according to the advisory, it seems you are only vulnerable if you actually load an ISAPI .dll module.

"it is possible to trigger a vulnerability in Apache mod_isapi that will unload the target ISAPI module from memory. However function pointers still remain in memory"

Even so, it's probably a good idea to comment out mod_isapi if you're not actively using it.

Why is mod_isapi enabled by default? (1)

CheckeredFlag (950001) | more than 4 years ago | (#31401004)

Good point! I had just assumed it was required to run php/mysql, but seems that it is only needed if you're going to run ISAPI extensions intended for IIS. I just disabled it on my WAMP servers with no side effects.

There seems to be very little need for this extension - it should be disabled by default.

Re:Why is mod_isapi enabled by default? (1)

Yvanhoe (564877) | more than 4 years ago | (#31401532)

It is a prerequisite and business-practice that any software on windows has as many vulnerable modules load by default as possible.

Re:Windows only (1)

newdsfornerds (899401) | more than 4 years ago | (#31402176)

HA! Go figure. Whenever the mainstream media reports on a worm/virus/trojan they NEVER mention that it affects only Windows machines. To CNN et al, computer == Windows so why be redundant by mentioning the OS? (J. R. Enduser can't tell MS Office from WinXP anyway.) And prolly MSFT buys lots of ad space at all the major news outlets so there would be pressure not to "emphasize" the affected platform.

Windows only exploit (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31400120)

Only affects Windows, though.
I wonder how many big deployments of Apache+Windows are out there.

Re:Windows only exploit (0)

Anonymous Coward | more than 4 years ago | (#31400470)

eBay is one example of a big site that seems to use the ISAPI (judging by their URLs). One can only hope PayPal (which is an eBay subsidiary after all) doesn't, or there is another big site that you don't want to be exploitable.

The new motto of IIS: (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31400150)

The new motto of IIS: "Security so shit that even open-source implementations of our API will leave your box looking like Goatse."

I was slightly worried, until I read this: (2, Interesting)

ipquickly (1562169) | more than 4 years ago | (#31400174)

Platform. Microsoft Windows

But is this the final nail in the Apache 1.3 coffin?
Now the boss is going to be upset even when you tell them your version is not vulnerable.

Re:I was slightly worried, until I read this: (0, Informative)

Anonymous Coward | more than 4 years ago | (#31400312)

But is this the final nail in the Apache 1.3 coffin?

No because it affects apache version 2.2.14

It's unanimous! (5, Funny)

ipquickly (1562169) | more than 4 years ago | (#31400206)

7 out of the first 8 posts agree that this is Windows only.

Re:It's unanimous! (2, Informative)

sayno2quat (1651749) | more than 4 years ago | (#31400286)

Perhaps you were being sarcastic, but doesn't unanimous mean everyone agrees, and not just a majority?

Re:It's unanimous! (1)

wintercolby (1117427) | more than 4 years ago | (#31400760)

Of course, everyone agrees that 7 out of 8 first posts agree that it's Windows only . . . Now I wonder if everyone agrees that 7 out of 8 first posts typically point out missing information in the summary. Don't mind me, I just read it differently.

Update to 2.2.15 (2, Funny)

blai (1380673) | more than 4 years ago | (#31400216)

But I don't want to restart my Windows :\

Re:Update to 2.2.15 (0)

Anonymous Coward | more than 4 years ago | (#31400230)

Surely you can just restart the service to get the fix? It might help to stop it before you apply the update, to ensure any files it's updating are not in use.

Re:Update to 2.2.15 (0)

Anonymous Coward | more than 4 years ago | (#31400658)

I don't want to restart my Windows

Not to worry, you can restart My Computer instead!

Re:Update to 2.2.15 (0)

Anonymous Coward | more than 4 years ago | (#31400768)

I'd figure that
> net stop apache2
(or something similar) before updating should do the task.
Halt it, update it, then
> net start apache2
should bring you back up?

I don't know for sure: I don't use Apache on Windows.

Re:Update to 2.2.15 (0)

Anonymous Coward | more than 4 years ago | (#31401282)

It's apache2.2 on my box.

Not Apache's problem (2, Informative)

Anonymous Coward | more than 4 years ago | (#31400258)

http://httpd.apache.org/docs/2.0/mod/mod_isapi.html

ISAPI extension modules (.dll files) are written by third parties. The Apache Group does not author these modules, so we provide no support for them. Please contact the ISAPI's author directly if you are experiencing problems running their ISAPI extension. Please do not post such problems to Apache's lists or bug reporting pages.

Re:Not Apache's problem (1)

dsharp (117993) | more than 4 years ago | (#31400324)

I believe that refers to 3rd-party ISAPI modules, not mod-isapi itself. Presumeably, Apache *is* responsible for maintaining mod-isapi.

Re:Not Apache's problem (4, Informative)

WPIDalamar (122110) | more than 4 years ago | (#31400346)

The extension module DLL's are third party.

The core isapi apache module is all apache, and that's where the bug is.

Re:Not Apache's problem (1)

LordSnooty (853791) | more than 4 years ago | (#31400362)

Sure, vulnerable DLLs are not Apache's problem, but isn't the vuln here within the mod_isapi module, which presumably is supplied by Apache?

Re:Not Apache's problem (2, Informative)

florescent_beige (608235) | more than 4 years ago | (#31400496)

The problem isn't in the dlls per se, the exploit works by causing mod_isapi to unload a dll and leave dangling pointers to the api that can be invoked. The fix is an apache.org change to mod_isapi that prevents such unloading:

2.2.15 Release Notes [apache.org]

Changes with Apache 2.2.15

*) SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [Brett Gervasoni brettg senseofsecurity.com, Jeff Trawick]

You bastards gave me a heart attack! (4, Funny)

SlappyBastard (961143) | more than 4 years ago | (#31400372)

I had to read the article to see it was Windows only . . . whew.

Re:You bastards gave me a heart attack! (0)

Anonymous Coward | more than 4 years ago | (#31401354)

I even did "find /etc/apache -iname '*isapi*'" to make sure we didn't use it.

Then I remember my old IIS days and the meaning of "ISAPI"...

Amen Brother! (1)

celtic_hackr (579828) | more than 4 years ago | (#31401770)

I saw that title and said Holy Crap Now I have to go search for patches pronto!
Can we add a feature to /. allowing us annoyed readers to electro-shock the submitters whenever they post such scary headlines?

Re:You bastards gave me a heart attack! (1)

Fujisawa Sensei (207127) | more than 4 years ago | (#31401886)

I had to read the article to see it was Windows only . . . whew.

I may be a little out of date, but I thought isapi was the IIS interface, meaning it was inherently Windows only. And isapi was mentioned as part of the summary.

OTOH, at least it means you actually RTFA.

Re:You bastards gave me a heart attack! (1)

SlappyBastard (961143) | more than 4 years ago | (#31402014)

It's been so long since I have used Windows for a server. I can see my last Windows server, a whopping 300 MHz killing machine, sitting at the bottom of a shelf in my office, waiting for the day I finally blank the hard drive and send it off to the Solid Waste Authority.

There was that inkling in the back of my head, but I had to read on for it to move forward in my brain.

Apache on Windows--More common than you think? (2, Informative)

sticks_us (150624) | more than 4 years ago | (#31400378)

There are many reasons why I wouldn't deploy a production (i.e. www-facing) webserver of any stripe running on Microsoft Windows, security being a big one of them.[1]

On the other hand, for some purposes (corporate intranet, for example), Apache on Windows has been a godsend--it's allowed us, for example, to migrate our internal apps to a Free platform gradually, while depreciating our existing Windows machines (and advocates) into oblivion.

---------------
1. Lots of people do, though. I'm pretty sure IBM and Oracle Websphere/Weblogic services all use Apache httpd at some level. Happy patching, boys and girls!

Re:Apache on Windows--More common than you think? (0)

Anonymous Coward | more than 4 years ago | (#31400576)

WebSphere uses its own HTTP stack.

Re:Apache on Windows--More common than you think? (2, Informative)

Anonymous Coward | more than 4 years ago | (#31400916)

WebSphere uses its own HTTP stack.

The IBM HTTP Server included with Websphere is based off of Apache. However, the mod_isapi module is disabled by default in IBM HTTP server installations. Websphere 6.1 uses an Apache 2.0.x based HTTP server, but Websphere 7.0 uses an Apache 2.2.x based HTTP server which could be vulnerable if you specifically enable this module.

Re:Apache on Windows--More common than you think? (1)

gazbo (517111) | more than 4 years ago | (#31400890)

DEPRECATING.

Unless you really meant you have a team of people chipping away at the Windows machines (and advocates) with hammers to accelerate their loss of monetary value?

Re:Apache on Windows--More common than you think? (1)

greed (112493) | more than 4 years ago | (#31401088)

I would like to subscribe to your team of people chipping away at the Windows machines with hammers service, please.

I'd like them to start with 4oz tack hammers and work up to 10lb sledgehammers over the course of a year.

Ah heck, just bring in the sidewalk drill and get it over with.

Re:Apache on Windows--More common than you think? (1)

Just Some Guy (3352) | more than 4 years ago | (#31401226)

Unless you really meant you have a team of people chipping away at the Windows machines (and advocates) with hammers to accelerate their loss of monetary value?

How would that decrease their value?

Re:Apache on Windows--More common than you think? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31401760)

Welcome to Earth! Your journey from the planet of linux fantasy must have been a long one. Please, regail us more of this mystical place where zealot sysadmins determine corporate policy and "internal apps" are written presumably were first written in, presumably, php for windows.

no, seriously. I'd like to know exactly what sort of "company" you think actually your apocryphal scenario would actually apply to? if it was a company that did anything serious (like a small bank or insurnace company), you'd be out of a job in seconds unless your boss were a complete idiot. i'm guessing it's either some government back-office where a technology can get away with such incompetence and experimentation or a small software firm where the rest of the guys are savvy enough that it's ok with them. unless it's running a billion servers like amazon or google or whatever, i have yet to find a serious company for whom the relatively insignificant cost of the operating system on their matters two shits compared the very high costs of user training and retraining, administrator hiring and rehiring, and so forth.

Always worried about reporting. (3, Interesting)

dannydawg5 (910769) | more than 4 years ago | (#31400454)

At a place I used to work, one of my coworkers reported a simple potential security problem: the username for the admin account on all our machines is the same as the computer's name. This just eliminates one less thing for a hacker to figure out. He was accused of "snooping", whatever that means, and almost lost his job. The only thing that saved him is a higher-up with a brain.

Whenever I hear a story about a person\firm reporting security risks, I am reminded of the story of my coworker, and I have heard too many similiar stories. It has trained to me keep my mouth shut about these problems.

Re:Always worried about reporting. (-1)

Anonymous Coward | more than 4 years ago | (#31400974)

That would be a problem, if Windows didn't have a hidden admin account that is always named the same. I propose to you the following formula will work on 80% of Windows XP systems:
1. If Welcome-screen in use, hit Ctrl-Alt-Del twice
2. Username "Administrator", empty password
3. Hit OK and use computer with admin privs
4. ...
5. Profit!!

Re:Always worried about reporting. (3, Informative)

Culture20 (968837) | more than 4 years ago | (#31401178)

That would be a problem, if Windows didn't have a hidden admin account that is always named the same. I propose to you the following formula will work on 80% of Windows XP systems:
1. If Welcome-screen in use, hit Ctrl-Alt-Del twice
2. Username "Administrator", empty password
3. Hit OK and use computer with admin privs
4. ...
5. Profit!!

On a home system maybe, but in corporate, sysadmins nuke the "mandatory user account" in favor of Administrator first thing, then they rename administrator to something else, either via GPO or locally (usually both). Some places like to disable the account while it's in AD too.
FYI, in Vista and Win7, I think you have to boot to safe mode for your trick to work since Administrator is usually disabled by default, but reenabled for safe mode.

Re:Always worried about reporting. (0)

Anonymous Coward | more than 4 years ago | (#31401810)

While that may hold true for larger corporations, I think you're overestimating the average small business sysadmin.

Re:Always worried about reporting. (1)

1s44c (552956) | more than 4 years ago | (#31401132)

Whenever I hear a story about a person\firm reporting security risks, I am reminded of the story of my coworker, and I have heard too many similiar stories. It has trained to me keep my mouth shut about these problems.

That's really bad. I know it's all too easy to tell someone to change job but that company is dysfunctional and You will do better elsewhere.

Re:Always worried about reporting. (0)

Anonymous Coward | more than 4 years ago | (#31402266)

Well, he did start off by saying "At a place I used to work...".

Sounds like he's already taken your advice.

Gain Complete Control (5, Funny)

ArundelCastle (1581543) | more than 4 years ago | (#31400484)

I would really like to make a shirt that says: "This T-shirt has a serious exploit that allows a remote attacker to gain complete control."
It should be printed around the bottom hem for maximum effect.
Could also work on tighty whiteys.

I said I'd like to make it, not wear it. :-)

Re:Gain Complete Control (0)

Anonymous Coward | more than 4 years ago | (#31400812)

Give it to your girl friend.

ISAPI = Lipstick on Ferrari (2, Informative)

Jonesy69 (904924) | more than 4 years ago | (#31400646)

Play on words here... Maybe its Lipstick on a pigs platform, as IIS SUCKS balls.

ISAPI == worthless in the context of using it for Apache. Most of its 'features' are well implemented in Apache with no need for ISAPI unless you're running very specialized apps that make extensive use of ISAPI.

Changing request data (URLs or headers) sent by the client # mod_rewrite
Controlling which physical file gets mapped to the URL # mod_rewrite
Controlling the user name and password used with anonymous or basic authentication #.htacess
Modifying or analyzing a request after authentication is complete # mod_rewrite
Modifying a response going back to the client #mod_rewrite
Running custom processing on "access denied" responses #mod_rewrite/mod_redirect...
Running processing when a request is complete # #/bin/bash-sh-perl-python-etc...
Run processing when a connection with the client is closed # #/bin/bash-sh-perl-python-etc...
Performing special logging or traffic analysis. # tcpdump/webalyzer
Performing custom authentication. # .htaccess/apache.conf/conf.d
Handling encryption and compression. # mod_ssl/mod_gzip

But do you really need mod_isapi (1)

Lew Perin (30124) | more than 4 years ago | (#31400762)

Not that I'd discourage anyone from keeping their Apache up-to-date, but I decided to see what would happen if I prevented the Windows Apache on my machine from loading mod_isapi. The answer? Nothing, apparently. The only thing I really feared was that it might interfere with the Zend debugger, but no, it's fine.

Thanks, jackass. (2, Funny)

CAIMLAS (41445) | more than 4 years ago | (#31400876)

Thanks, jackass. Just what I wanted on a Monday morning: to update a half dozen Internet-facing source-based systems. Of course, it was a false alarm: submitter was too much of a toolbag to mention it was Windows-only.

(And, it being a Monday morning, I didn't initially notice the mention of mod_isapi. Of course.)

In any apps? (1)

jbeaupre (752124) | more than 4 years ago | (#31400912)

Dumb question, but are there any Windows apps that serve pages to a browser front end that might have borrowed the Apache code in question?

editor: Change the title, please (0, Troll)

short (66530) | more than 4 years ago | (#31400920)

Do you chase web hits? Who cares about Windows, moreover together with Apache httpd?

Definitely emphasize windows-only! (1)

Teunis (678244) | more than 4 years ago | (#31401488)

I don't know that the bug doesn't exist under linux - but it wouldn't seem to. Of all the servers I run, 0% (no variance) run windows. I read this because the headline was so fearmongering only to realize ... it didn't matter.
Running software under windows these days is an experiment in running software in an unsafe, unreliable and probably infected environment anyway.

(while I'm still working with about a dozen servers, I'm mostly a computer tech - and that means spending 8+ hours a day clearing viruses off of computers with the occasional bit of repair in between).

Where are the binaries with OpenSSL??? (1)

CheckeredFlag (950001) | more than 4 years ago | (#31401672)

Looks like none of the download mirrors nor the Apache's backup contain the MSI installer that includes OpenSSL. Where is it? Only the non-ssl version is available.

The only exception appears to be the filehat mirror [filehat.com]. There is no pgp signature on apache's main server to verify its integrity either.

Was it pulled? Anyone know why it's unavailable?

Just on Windows - Whew! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31401720)

I was worried, up until it said it was exclusive to Windows! I knew there was a good reason I got off of Windows...

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...