[584] in WWW Security List Archive
re:ncsa security problems
daemon@ATHENA.MIT.EDU (Scott Powers)
Thu Apr 13 17:30:22 1995
From: spowers@shire.ncsa.uiuc.edu (Scott Powers)
To: www-security@ns2.rutgers.edu
Date: Thu, 13 Apr 1995 12:45:18 -0500 (CDT)
Cc: efrank@ncsa.uiuc.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> From owner-www-security@ns2.rutgers.edu Thu Apr 13 12:29:17 1995
> Errors-To: owner-www-security@ns2.Rutgers.EDU
> Message-Id: <199504131625.JAA18282@kitty.oester.com>
> To: www-security@ns2.rutgers.edu
> From: "Gintaras Richard Gircys (GG148)" <rich@oester.com>
> X-Phone: 408 722 3682
> X-Orgs: Oesterreich & Assc. Inc.
> X-Snail: 2014 Eureka Canyon Road, Corralitos, CA. 95076
> Subject: ncsa security problems
> Date: Thu, 13 Apr 1995 09:25:56 -0700
> Sender: owner-www-security@ns2.Rutgers.EDU
> Precedence: bulk
> Errors-To: owner-www-security@ns2.Rutgers.EDU
> content-length: 345
>
> list,
>
> there have been quite a few security issue posting on ncsa recently, enough
> to make me think about switching to the cern server (especially since the
> ncsa people seem somewhat refractory about fixes, etc.).
>
As soon as the first bug was reported (strsubfirst) a patch was started and
then released two days later.
Pretty good for a one man server development team.
Since then there have been more people added to the team (up to 5 now) and
they are hard at work on 1.4 which _has_ all of these bugs taken in hand.
However, timing is of the essence here...3 of the 5 members of the server
team are currently in Germany for the conference which is why there has not
been any answers to these posts. I have been forwarding on the messages and
my suggested patches for each instance (2 more have been reported since the
first).
There will be official patches released as soon as they can be approved by
the project lead who is in Germany.
I realize this is akin to "the dog ate my homework" and it doesn't help you
guys out a whole lot in the meantime, but if we release a patch prematurely
it would be a bad thing if it turned out to screw something else up or not
cover the hole entirely.
Please bear with us.
> has anyone looked at the cern code? is it better? to date, seems to me that
> ncsa is by far the leader over cern in problems.
>
Have _you_ looked at the cern code? For one, it is huge. For two, it is
spaghetti. It is very difficult code to read which is for the most part
completely undocumented. Kudos to whomever does check it out _and_ can stand
by his/her word that it is completely safe.
NCSA's httpd is the leader in problems because it is more widely used.
> rich
>
Scott Powers
P.S. I am not on the server dev team (X dev for Mosaic), but I have worked
closely with them concerning the security problems. I assure you there will
be patches released for httpd 1.3.
--
+---------------------------------------------------------------------------+
|"Sorry, not tonite honey....I have a modem." --Anonymous |
+---------------------------------------------------------------------------+
|spowers@shire.ncsa.uiuc.edu |
|Scott W. Powers, Research Programmer at the Software Development Group, |
|National Center for Supercomputing Applications |
+---------------------------------------------------------------------------+
|Cyber Doors: http://shire.ncsa.uiuc.edu/ |
+---------------------------------------------------------------------------+
