Forum OpenACS Q&A: aolServer security issues

Collapse
1: aolServer security issues
Posted by Brad Ford on 06/20/03 11:54 PM

I was busy getting laughed at by a linux geek friend about using aolServer (he couldn't get past the aol part - religion and all...) and being told that it's been hacked into on numerous occasions due to it's use by aol. I was only able to find a couple of instances of this in a google search but did find some security warnings on securiteam. All were for versions prior to 3.4. The recommended install is 3.3 + ad patches. I just want to know if it's been patched to fix the following (or at the very least - if they are not an issue for an openACS install):

There were a couple more for windows aolserver 3.4.2 but they're not relevant. Nothing for 4 betaX yet as far as I could tell but that's not surprising since it's still in beta. My Linux geek friend is under the impression that Apache was the be all and end all and couldn't be persuaded. Sigh...

Collapse
2: Re: aolServer security issues (response to 1)
Posted by Jade Rubick on 06/21/03 12:08 AM
Well, he doesn't sound like someone that listens to reasonable argument, so it might be pointless.

However, there have been far fewer security vulnerabilities in Aolserver than in Apache. Hopefully Jon Griffin will pipe in here about the current status of Aolserver security-wise.

A determined and knowledgeable hacker can get into almost anything. Very few script kiddies are targeting Aolserver, and when a vulnerability has been uncovered, it generally has been patched within a couple of hours.

You might ask this on the Aolserver mailing list as well. That's probably a better place to ask.

Collapse
3: Re: aolServer security issues (response to 1)
Posted by Don Baccus on 06/21/03 02:48 AM
The AOL team continues to migrate AOL properties to AOLserver (mapquest etc), so it would seem to me that your friend's dire warnings are somewhat overblown. I don't know of anyone in our community who's had one of their AOLserver sites hacked into due to any AOLserver security issues, and our community has some high-volume sites like Greenpeace that aren't loved by all and therefore are logical targets for hackers.

  • We don't use the DB Proxy Daemon
  • We normally don't use AOLserver Authorization but rather implement our own.
  • ParseAuth sounds related to the previous and was fixed in AOLserver 3.2.
  • The last looks related to Authorization too
You might try the last Perl script to see if aol3.3+ad13 dies.

Security problems like this one certainly don't do much to convince me that AOLserver's any less secure than Apache 2.0 ...

Collapse
4: Re: aolServer security issues (response to 1)
Posted by David Walker on 06/21/03 06:40 AM
AOLserver DB Proxy Daemon Format String Vulnerability
Never an issue for OpenACS.  OpenACS uses Oracle or Postgres DB drivers and not the External DB drivers.  You would be programming outisde of OpenACS for this to be an issue.

AOLserver Authorization Buffer Overflow
AOLserver Exploit Code Released (ParseAuth)
Looks like ParseAuth is called before filters are run so
1.  OpenACS probably would be vulnerable
2.  A simple filter would not provide safety.
If a problem occurs in AOLServer source code but the code is called after the filters are run, then it may be possible to write a filter to protect your site from an exploit even if a patch is not yet created.

AOLserver Vulnerable To Host Buffer Overflow
I don't see any difference between the code alleged to show this vulnerability and the code for the Authorization Buffer Overflow.

Collapse
5: Re: aolServer security issues (response to 1)
Posted by David Walker on 06/21/03 06:51 AM
I guess I need more sleep.  Looks like I pretty much duplicated Don's answer.  Maybe my reading comprehension skills aren't as good as they ought to be.
Collapse
6: Re: aolServer security issues (response to 1)
Posted by Andrew Piskorski on 06/21/03 08:40 AM
The specific potential AOLserver security issues above have also been discussed here extensively in the past. Try a search for them for more details, but Don's reply above gives a succinct overview.

Brad, your "Linux geek friend" simply has no idea what he's talking about, apparently willfully so, and is simply spreading FUD. Which is a particularly disreputable thing to see in any any self-described "geek", Linux or otherwise.

That said, historically, Jade's "generally patched within a couple hours" opinion of AOLserver security is, well, optimistic. I know Jon Griffin and others had complained about maintainers at AOL ignoring patches in the past, including some security related patches. But I believe that was all in the Bad Old Days, before last years changes in AOLserver governance, when fewer non-AOL people had CVS commit access on SourceForge, etc. So things are likely much better now.

And like Don said, even throughout that whole period, AOLserver still appears to have been safer than Apache. So unless you have particularly severe security needs, or are simply academically interested, you are probably safe to simply not worry about it. When the rare AOLserver security problem has been found it seems to have been discussed pretty quickly here and on the AOLserver list.

Collapse
7: Re: aolServer security issues (response to 1)
Posted by Don Baccus on 06/21/03 06:47 PM
I'll second what Andrew says about the "bad old days" when the AOLserver team was reluctant to accept patches or improvements from the user community.

Why was the AOLserver team reluctant?  In large part because off security concerns!  They were very busy, unfamiliar with the software engineers in the user community, didn't really have time to vet patches and were being paid to make AOLserver as solid as possible for AOL's use.

Which led, among other things, to Windows support being removed (because AOL is strictly a Unix shop.)

Things have changed greatly as the AOL team and the more skilled programmers within the user community have become acquainted with each other's work.

Windows support's been put back in.  The localization issues and cache module from ad13 are now included in AOLserver 4.0.  Various modules from the user community are available for download from the AOLserver sourceforge site.  Etc.

So the AOLserver team does work now in the "many eyes make short work" style so characteristic of successful Open Source projects.

Collapse
8: Re: aolServer security issues (response to 1)
Posted by Kjell Wooding on 06/22/03 11:08 PM
<blockquote> Throughout that whole period, AOLserver still appears to
have been safer than Apache
</blockquote>

I'd be careful with statements like this. AOLserver
has FAR less market penetration that apache, so it is
less of a target (think back to the old days
where "Windows" was more secure than "Unix" because
it had fewer internet-related vulnerabilities. heh.)

Truth be told, I don't know that anyone has ever audited
AOLserver for format string or other such vulnerabilities.
I do know of several projects that have done so for Apache,
though.

Realize here, I'm not arguing one way or another. I'm just
pointing out that AOLserver has gotten FAR less attention,
both by the black hats and the white, and will probably
continue to do so for quite some time.

Collapse
9: Re: aolServer security issues (response to 1)
Posted by Andrew Piskorski on 06/23/03 10:12 AM
:) Well, I wouldn't necessarily make that statement either, although now that I re-read his post, I realize I may have been putting word's into Don's mouth. Oops.

Certainly, some part of the fact that no OpenACS sites are known to have been hacked due to an AOLserver security failure must be due simply to AOLserver's relative obscurity and thus unpopularity as a target. Heck, remember when that Apache OpenSSL worm was making the rounds? It was written to check for and attack only Apache, but AFAIK there was no inherent reason that it couldn't work on AOLserver too - it just never tried. That sort of accidental safety in anonymity isn't what I'd really call "safety" at all, but it doesn't hurt.

Better security auditing, etc., is always nice, but at least so far I haven't seen anything to indicate that AOLserver is in any dire need of it. I'm not really the person to comment on Apache vs. AOLserver security at all, neither empirically (reports of failures) nor based on design and code review (especially since I've never read any Apache code at all), but there are others here who probably are, and I haven't heard any serious complaints along those lines from them...