Forum OpenACS Q&A: AOLserver 3.0 vulnerability

Collapse
Posted by Andrew Lahser on
I saw this on the AD bboards. AOLserver 3.0 vulnerability http://www.arsdigita.com/bboard/q-and-a-fetch-msg?msg%5fid=000hNB&topic%5fid=21&topic=web%2fdb My question is, has anyone spent any time working out which parts of AD13 need to be applied to AOLServer 3.3.1 or 3.4 so that it will continue to work with openACS or ACS 4.3?
Collapse
Posted by Jonathan Marsden on
The link you provided seems broken. I think you meant

FYI: AOLserver 3.0 vulnerability: http://www.arsdigita.com/bboard/q-and-a-fetch-msg?msg_id=000hNB

However, the exploit script therein causes no damage at all when run against my local OpenACS 3.2.5 installation, which uses AOLserver 3.3+ad13.

Is it possible that this problem was fixed in AOLserver 3.3 as well as in 3.3.1?

Collapse
Posted by Jonathan Marsden on
Correction: the current aolserver tarball from aD was 3.3.1+ad13, so it already had the fix for this exploit in it.  My aolserver RPMs used this as their base, not AOlserver 3.3 + ad13.

So it seems that the 3.3.1 + ad13 combination is what aD themselves recommend.  It works for me.

Collapse
Posted by Andrew Lahser on
Thanks Jonathan.
<doh>I guess the bigger question is why haven't I been using the
latest version</doh>

Andrew Lahser