Forum OpenACS Q&A: AOLserver 3.0 vulnerability

Collapse
1: AOLserver 3.0 vulnerability
Posted by Andrew Lahser on 08/23/01 07:01 PM
I saw this on the AD bboards. AOLserver 3.0 vulnerability http://www.arsdigita.com/bboard/q-and-a-fetch-msg?msg%5fid=000hNB&topic%5fid=21&topic=web%2fdb My question is, has anyone spent any time working out which parts of AD13 need to be applied to AOLServer 3.3.1 or 3.4 so that it will continue to work with openACS or ACS 4.3?
Collapse
2: Response to AOLserver 3.0 vulnerability (response to 1)
Posted by Jonathan Marsden on 08/23/01 07:41 PM
The link you provided seems broken. I think you meant

FYI: AOLserver 3.0 vulnerability: http://www.arsdigita.com/bboard/q-and-a-fetch-msg?msg_id=000hNB

However, the exploit script therein causes no damage at all when run against my local OpenACS 3.2.5 installation, which uses AOLserver 3.3+ad13.

Is it possible that this problem was fixed in AOLserver 3.3 as well as in 3.3.1?

Collapse
3: Response to AOLserver 3.0 vulnerability (response to 1)
Posted by Jonathan Marsden on 08/23/01 07:49 PM
Correction: the current aolserver tarball from aD was 3.3.1+ad13, so it already had the fix for this exploit in it.  My aolserver RPMs used this as their base, not AOlserver 3.3 + ad13.

So it seems that the 3.3.1 + ad13 combination is what aD themselves recommend.  It works for me.

Collapse
4: Response to AOLserver 3.0 vulnerability (response to 1)
Posted by Andrew Lahser on 08/24/01 04:30 PM
Thanks Jonathan.
<doh>I guess the bigger question is why haven't I been using the
latest version</doh>

Andrew Lahser