Forum OpenACS Q&A: Re: aolServer security issues

Posted by David Walker on
AOLserver DB Proxy Daemon Format String Vulnerability
Never an issue for OpenACS.  OpenACS uses Oracle or Postgres DB drivers and not the External DB drivers.  You would be programming outisde of OpenACS for this to be an issue.

AOLserver Authorization Buffer Overflow
AOLserver Exploit Code Released (ParseAuth)
Looks like ParseAuth is called before filters are run so
1.  OpenACS probably would be vulnerable
2.  A simple filter would not provide safety.
If a problem occurs in AOLServer source code but the code is called after the filters are run, then it may be possible to write a filter to protect your site from an exploit even if a patch is not yet created.

AOLserver Vulnerable To Host Buffer Overflow
I don't see any difference between the code alleged to show this vulnerability and the code for the Authorization Buffer Overflow.