Forum OpenACS Q&A: Security concerns on AOLserver/3.3.1+ad13

Request notifications

Hi all, Newbie here :) I did read the Changelog and DISTRIBUTION.txt that comes with AOLserver/3.3.1+ad13 but haven't seen anywhere mentioned the DB Proxy format string vulnerability posted on BUGTRAQ in April http://online.securityfocus.com/archive/1/267939 patch was applied? It did say the post-AOLserver 3.4.2 version is ok but I tested out AD AOLserver it works great since I need the patch for Unicode/i18n. Also, how do I hide the the server version? When someone requested an invalid page, AOLserver will display the server info @ the bottom page. I would like to hide this info. Is there a Signature off (similar to Apache) somewhere I could define? Thank you for reading. -Larry
Collapse
Posted by David Walker on
Thanks for bringing this up.  I hope this is documented but I found it by searching through the source code.  To hide the server version add "ns_param noticedetail 0" to the "ns/server/${server}" section of your config file.

ns_section "ns/server/${server}"
        ns_param  noticedetail 0

Collapse
Posted by David Walker on
Most openacs installs do not call for external db drivers.  Neither Postgres or Oracle use them.  Sybase is the only database I am aware of that uses external db drivers.

So unless you're using nsext.so for db connections I think you don't need to worry about this issue.

Collapse
Posted by Larry Nguyen on
Thanks a lot, David. I follow your tip on hiding server info, it works great.

I'm glad to hear about not worrying the format string vuln.

Collapse
Posted by Andrew Piskorski on
Larry, the vulnerabiltiy you mention was discussed here in this thread back in April. The consensus was that that particular buffer overrun was not a problem for OpenACS (as nspd is not used), but that it would be good to look for similar vulnerabilities elsewhere in the code.

AFAIK, nothing else came of that. It would also be good to check the lastest AOLserver sources , to see if nspd has been fixed, and bring it up on the AOLserver list if not. You might also be interested in Jon Griffin's recent AOLserver Security Audit thread.