[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Re: Frontpage and ChiliSoft Vulns [WAS: Code Red Special Effects]
- Subject: Re: [cobalt-security] Re: Frontpage and ChiliSoft Vulns [WAS: Code Red Special Effects]
- From: John Brock <john.brock@xxxxxxx>
- Date: Thu, 09 Aug 2001 11:31:11 -0700
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hmmmm, we ll of course I have to take some exception to a portion of
this. <g>
> They are theoretical, not yet real and focus on the fact the ISAPI filters
> that are FrontPage and ASP/DCOM+ and, soon, .NET and C# CLI, in IIS and,
> therefore, any OS that uses them are subject to the doctrine of 'inherent
> insecurity.'
This statement assumes that the other OS's that use "ASP/DCOM+ and,
soon, .NET and C# CLI, in IIS" are going to be using ISAPI. Since you
are using Chili!Soft as the example in your issue, I have to disagree
since ISAPI isn't involved at all in the use of Chili!Soft ASP. For
that matter, the other implementations of ASP architecture on Linux
don't use ISAPI either.
> Bottom line, FrontPage in particular and ISAPI and ASP in general are a dumb
> idea, have been proven a dumb and insecure idea, and smart prople will do
> well to advise their clients and businesses to steer clear of them.
Again in this statement, you are lumping ASP in with ISAPI. What's been
proven to be insecure, in the Code Red issue at least, is the ISAPI
interface used in IIS. ASP itself is not what is being exploited here.
As for FrontPage...... I'm not a fan of it personally. I don't know
enough about it's use of protocols and API's to speak.
> Opinion only, and I'm crawling into my asbestos underwear now.
You gotta love opinions! and of course this is only my *personal*
opinion. <bg>
--jb
"Michael J. Cannon" wrote:
>
> Kevin:
>
> The FrontPage on *nix threads are springing up in both the hacker IRC
> chatrooms and the vuln theorist maillists.
>
> They are theoretical, not yet real and focus on the fact the ISAPI filters
> that are FrontPage and ASP/DCOM+ and, soon, .NET and C# CLI, in IIS and,
> therefore, any OS that uses them are subject to the doctrine of 'inherent
> insecurity.'
>
> Of course, the argument can also be made that the insecurities, by the same
> doctrine, are actually at the .asm level (in the machine architecture) or as
> a result of such things as templates and the ability to cast 'badly formed'
> pointer structures and map memory badly on the physical/machine or
> lower-level architectures. However, if that's the case, why haven't we seen
> the same level of exposure in Apache and other servers in Linux (other than
> those 'extended' by ChiliSoft and others into the ASP and ISAPI universes.)?
>
> Bottom line, FrontPage in particular and ISAPI and ASP in general are a dumb
> idea, have been proven a dumb and insecure idea, and smart prople will do
> well to advise their clients and businesses to steer clear of them.
>
> Now a prediction: with what's about to happen to the Microsoft
> implementations of RCL, RMI and, especially, RPC, we'll be saying the same
> thing about SOAP and .NET as we are currently saying about FrontPage...only
> instead of USD$2-billion a 12-day attack and media hysteria period, we''l
> be talking USD$20 and USD$40 billion in the same periods this time next
> year.
>
> Opinion only, and I'm crawling into my asbestos underwear now.
>
> Mike
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security