July 8, 2002

FrontPage extensions may not work with latest Apache security fix

- By Robin "Roblimo" Miller -
On June 17, CERT Advisory CA-2002-17 revealed an Apache Web server chunk handling vulnerability that affected versions 1.2.2 through 1.3.24 and 2.0 through 2.0.36. Before long, Apache maintainers had a fix; versions 1.3.26 and 2.0.39 (and higher) solved the problem. But Microsoft still hasn't released a FrontPage version that works with the patched versions of Apache, so many Apache servers running FrontPage extensions may still be vulnerable to the exploits Apache maintainers and others rushed so frantically to prevent.
Eric Williams, systems administrator for e-BUILDERS, LLC, a Web hosting firm based in Elsberry, Missouri, says he contacted Microsoft at the end of June, looking for updated FrontPage extensions for Apache that would work with the recently-released versions that eliminated the vulnerability mentioned in the CERT advisory. Eric says, "The guy we talked to didn't seem to know about the vulnerability, or if he did he didn't want to admit it, and had no news about any release coming out that would work."

Other software suppliers Eric deals with were both aware of this vulnerability and responded to it almost immediately. He says, "A few days after the Apache vulnerability was revealed, Red Hat released a patch for it."

The only hole left for Eric was FrontPage. "I pretty much shut down FrontPage extensions," he says, while he waited for his Microsoft support rep to find a solution and get back to him with it.

On Thursday, July 4, Eric was still waiting. He says, "My goal was to get a copy of FrontPage running with a copy of Apache that wasn't exploitable. [That] doesn't sound very unreasonable does it?"

A search of relevant pages at Microsoft.com turned up no information about the recent Apache vulnerability or any advice about installing FrontPage extensions on Apache versions higher than 1.3.24. Indeed, the only prominent reference we found on Microsoft's site to running FrontPage server extensions on Apache sent us either to this page cannot be found notice or to an outside vendor's Web page that says nothing but "Apache 1.3.26 is no [sic] supported. You should use the 1.3.22 patch."

Eric finally got a call back from his Microsoft tech support rep on the evening of July 6, in the form of a voice mail message about the possibility of an updated version of the FrontPage server extensions that would work with the new, recently secured versions of Apache. NewsForge listened to the message from the Microsoft support rep, who said, "Microsoft is looking into it. We expect a new release eventually, we just don't know exactly when."

Chances are, someone besides Microsoft will get FrontPage extensions working with the latest Apache releases before long, and will share their solution with others. Indeed, Eric is working on this himself, not out of love for Microsoft but because, he says, "You work for the customers, and some of them want to use FrontPage."

At this point, it appears that Microsoft only officially supports FrontPage for Apache version 1.3.19 on Red Hat 6.2 and 7.0. Eric, like many systems administrators, has long since upgraded past those versions of Apache and Red Hat. "How long has 7.2 been out now?" Eric asks rhetorically, and adds, "To the support guy's credit he went ahead and tried to work with the Red Hat 7.1 and 7.2 servers we are running."

Is it possible that Microsoft is planning to drop support for FrontPage on Linux and Apache altogether? Or is this just an instance of a proprietary software company not releasing updates as rapidly as the Open Source community? We'll try to get an official statement from Microsoft and update this story as soon as we get an answer, assuming Microsoft's PR people have one to give.


  • Security
Click Here!