Sampsa,
TOPS-20 never ran on a PDP-11. TOPS-20 ran on the 36-bit DECsystem-20.
-Steve
-----Original Message-----
From: owner-hecnet at Update.UU.SE [mailto:owner-hecnet at Update.UU.SE] On
Behalf Of Sampsa Laine
Sent: Tuesday, September 22, 2009 15:56
To: hecnet at Update.UU.SE
Subject: Re: [HECnet] Security hole in CSWS
Guys, I've written a quick blurb about the flaw I found etc that I'm
posting on my blog once the Apace guys say they're releasing it.
Comments? Glaring factual inaccuracies? The intended audience is a
fairly technical bunch, prob mostly infosec consultants and pentesters.
http://rhesus.sampsa.com/csws-flaw/
On 22 Sep 2009, at 20:34, Sampsa Laine wrote:
It appears that
RewriteRule (;[0-9]*\?)|(;[0-9]*$) [R]
works as well.
The VMS Apache guys know about this and are working on it as we
speak, but I would suggest letting any clients etc know about this
before the formal advisory goes out as I should think this will hit
the automated testing tools such as Nessus pretty soon after that.
Sampsa
On 22 Sep 2009, at 20:27, Pontus wrote:
Hi
I'm not going to pretend I know mod_rewrite, but I spent some time
with
the docs and thought you could use the grouping info to replace with
what you matched:
(.*)(;[0-9]*\?) $1
(.*)(;[0-9]*$) $1
(I wrote two rules as I'm uncertain how the | binds)
Alternatively this passage from the docs might provide an alternative
solution:
<snip>
Additionally you can set special flags for Substitution by appending
[flags]
as the third argument to the RewriteRule directive. Flags is a
comma-separated list of the following flags:
<...>
- *||*'forbidden|F' (force URL to be forbidden)
This forces the current URL to be forbidden, i.e., it immediately
sends
back a HTTP response of 403 (FORBIDDEN). Use this flag in conjunction
with appropriate RewriteConds to conditionally block some URLs.
</snip>
Then you could at least avoid people reading the source.
/Pontus.
Sampsa Laine wrote:
Dennis,
I've got the rule down to:
RewriteRule (;[0-9]*\?)|(;[0-9]*$) /
but this is not ideal, as I don't really want to replace the ;
with a
/, just drop it but can't figure out the syntax for "replace with
nothing".
Any ideas?
Sampsa
On 21 Sep 2009, at 22:12, Dennis Boone wrote:
Yes, I have reported it to VMS engineering in India about an
hour ago
(well I assume in India, the guys had subcontinent accents) and
they
said they'd get back to me.
In the meantime, if CSWS has mod_rewrite, you might be able to
produce a
temporary fix in the form of a rewrite rule that rips the ;* off
the
end[1]
of .php urls.
[1] Well, ok, might be the middle too, if it's a GET with
parameters,
but that's just a slightly more involved pattern.
De
I've got the rule down to:
RewriteRule (;[0-9]*\?)|(;[0-9]*$) /
but this is not ideal, as I don't really want to replace the ; with
a /, just drop it but can't figure out the syntax for "replace with
nothing".
You don't, really. You match all the non-version bits of the filename
in parens so you have backreferences, and reconstruct the URL without
the version bits. Something like this:
RewriteRule ^(.*)(;[0-9]+)(.*) $1$3
I don't remember whether the substitution workspace includes script
parameters (?var=val). I _think_ that's already been removed. If not,
you might need to change the first parenthesized expression to something
like ([^?]+) instead.
De
Guys, I've written a quick blurb about the flaw I found etc that I'm posting on my blog once the Apace guys say they're releasing it.
Comments? Glaring factual inaccuracies? The intended audience is a fairly technical bunch, prob mostly infosec consultants and pentesters.
http://rhesus.sampsa.com/csws-flaw/
On 22 Sep 2009, at 20:34, Sampsa Laine wrote:
It appears that
RewriteRule (;[0-9]*\?)|(;[0-9]*$) [R]
works as well.
The VMS Apache guys know about this and are working on it as we speak, but I would suggest letting any clients etc know about this before the formal advisory goes out as I should think this will hit the automated testing tools such as Nessus pretty soon after that.
Sampsa
On 22 Sep 2009, at 20:27, Pontus wrote:
Hi
I'm not going to pretend I know mod_rewrite, but I spent some time with
the docs and thought you could use the grouping info to replace with
what you matched:
(.*)(;[0-9]*\?) $1
(.*)(;[0-9]*$) $1
(I wrote two rules as I'm uncertain how the | binds)
Alternatively this passage from the docs might provide an alternative
solution:
<snip>
Additionally you can set special flags for Substitution by appending
[flags]
as the third argument to the RewriteRule directive. Flags is a
comma-separated list of the following flags:
<...>
- *||*'forbidden|F' (force URL to be forbidden)
This forces the current URL to be forbidden, i.e., it immediately sends
back a HTTP response of 403 (FORBIDDEN). Use this flag in conjunction
with appropriate RewriteConds to conditionally block some URLs.
</snip>
Then you could at least avoid people reading the source.
/Pontus.
Sampsa Laine wrote:
Dennis,
I've got the rule down to:
RewriteRule (;[0-9]*\?)|(;[0-9]*$) /
but this is not ideal, as I don't really want to replace the ; with a
/, just drop it but can't figure out the syntax for "replace with
nothing".
Any ideas?
Sampsa
On 21 Sep 2009, at 22:12, Dennis Boone wrote:
Yes, I have reported it to VMS engineering in India about an hour ago
(well I assume in India, the guys had subcontinent accents) and they
said they'd get back to me.
In the meantime, if CSWS has mod_rewrite, you might be able to produce a
temporary fix in the form of a rewrite rule that rips the ;* off the
end[1]
of .php urls.
[1] Well, ok, might be the middle too, if it's a GET with parameters,
but that's just a slightly more involved pattern.
De
Hey group,
I was wondering if anyone was interested in a swap? I'm after a
VAXstation 3100 M78 (to try Ultrix on) and have to swap a VAXstation
4000/60. I can get some hard stats, but basically it has a full rack of
RAM, a 1280x1024 8 bit plane frame buffer and I can install an 18GB hard
drive with OpenVMS 7.3 on it.
I'm in the UK - Windermere.
Regards, Mark.
--
It appears that
RewriteRule (;[0-9]*\?)|(;[0-9]*$) [R]
works as well.
The VMS Apache guys know about this and are working on it as we speak, but I would suggest letting any clients etc know about this before the formal advisory goes out as I should think this will hit the automated testing tools such as Nessus pretty soon after that.
Sampsa
On 22 Sep 2009, at 20:27, Pontus wrote:
Hi
I'm not going to pretend I know mod_rewrite, but I spent some time with
the docs and thought you could use the grouping info to replace with
what you matched:
(.*)(;[0-9]*\?) $1
(.*)(;[0-9]*$) $1
(I wrote two rules as I'm uncertain how the | binds)
Alternatively this passage from the docs might provide an alternative
solution:
<snip>
Additionally you can set special flags for Substitution by appending
[flags]
as the third argument to the RewriteRule directive. Flags is a
comma-separated list of the following flags:
<...>
- *||*'forbidden|F' (force URL to be forbidden)
This forces the current URL to be forbidden, i.e., it immediately sends
back a HTTP response of 403 (FORBIDDEN). Use this flag in conjunction
with appropriate RewriteConds to conditionally block some URLs.
</snip>
Then you could at least avoid people reading the source.
/Pontus.
Sampsa Laine wrote:
Dennis,
I've got the rule down to:
RewriteRule (;[0-9]*\?)|(;[0-9]*$) /
but this is not ideal, as I don't really want to replace the ; with a
/, just drop it but can't figure out the syntax for "replace with
nothing".
Any ideas?
Sampsa
On 21 Sep 2009, at 22:12, Dennis Boone wrote:
Yes, I have reported it to VMS engineering in India about an hour ago
(well I assume in India, the guys had subcontinent accents) and they
said they'd get back to me.
In the meantime, if CSWS has mod_rewrite, you might be able to produce a
temporary fix in the form of a rewrite rule that rips the ;* off the
end[1]
of .php urls.
[1] Well, ok, might be the middle too, if it's a GET with parameters,
but that's just a slightly more involved pattern.
De
Hi
I'm not going to pretend I know mod_rewrite, but I spent some time with
the docs and thought you could use the grouping info to replace with
what you matched:
(.*)(;[0-9]*\?) $1
(.*)(;[0-9]*$) $1
(I wrote two rules as I'm uncertain how the | binds)
Alternatively this passage from the docs might provide an alternative
solution:
<snip>
Additionally you can set special flags for Substitution by appending
[flags]
as the third argument to the RewriteRule directive. Flags is a
comma-separated list of the following flags:
<...>
- *||*'forbidden|F' (force URL to be forbidden)
This forces the current URL to be forbidden, i.e., it immediately sends
back a HTTP response of 403 (FORBIDDEN). Use this flag in conjunction
with appropriate RewriteConds to conditionally block some URLs.
</snip>
Then you could at least avoid people reading the source.
/Pontus.
Sampsa Laine wrote:
Dennis,
I've got the rule down to:
RewriteRule (;[0-9]*\?)|(;[0-9]*$) /
but this is not ideal, as I don't really want to replace the ; with a
/, just drop it but can't figure out the syntax for "replace with
nothing".
Any ideas?
Sampsa
On 21 Sep 2009, at 22:12, Dennis Boone wrote:
Yes, I have reported it to VMS engineering in India about an hour ago
(well I assume in India, the guys had subcontinent accents) and they
said they'd get back to me.
In the meantime, if CSWS has mod_rewrite, you might be able to produce a
temporary fix in the form of a rewrite rule that rips the ;* off the
end[1]
of .php urls.
[1] Well, ok, might be the middle too, if it's a GET with parameters,
but that's just a slightly more involved pattern.
De
Dennis,
I've got the rule down to:
RewriteRule (;[0-9]*\?)|(;[0-9]*$) /
but this is not ideal, as I don't really want to replace the ; with a /, just drop it but can't figure out the syntax for "replace with nothing".
Any ideas?
Sampsa
On 21 Sep 2009, at 22:12, Dennis Boone wrote:
Yes, I have reported it to VMS engineering in India about an hour ago
(well I assume in India, the guys had subcontinent accents) and they
said they'd get back to me.
In the meantime, if CSWS has mod_rewrite, you might be able to produce a
temporary fix in the form of a rewrite rule that rips the ;* off the end[1]
of .php urls.
[1] Well, ok, might be the middle too, if it's a GET with parameters,
but that's just a slightly more involved pattern.
De
Cool, thanks for that, I'll put it into my advisory if I issue one, with credit to you of course :)
Sampsa
On 21 Sep 2009, at 22:12, Dennis Boone wrote:
Yes, I have reported it to VMS engineering in India about an hour ago
(well I assume in India, the guys had subcontinent accents) and they
said they'd get back to me.
In the meantime, if CSWS has mod_rewrite, you might be able to produce a
temporary fix in the form of a rewrite rule that rips the ;* off the end[1]
of .php urls.
[1] Well, ok, might be the middle too, if it's a GET with parameters,
but that's just a slightly more involved pattern.
De
Quick update: I've had a guy from HP's OpenVMS and Tru64 Apache team contact me, they're working on a fix. Turns out it's limited to MOD_PHP apparently, not all of CSWS.
Sampsa
On 21 Sep 2009, at 21:46, Brian Hechinger wrote:
On Mon, Sep 21, 2009 at 08:17:02PM +0100, Sampsa Laine wrote:
Guys,
What do you guys think, worth getting in touch with HP? I think this
could be a potential disaster waiting to happen...
A VMS Guru friend of mine replied with this:
=======================================================================
Not surprising. I would guess that the source code makes some
bad assumptions about file specifications.
It should definitely be reported to HP.
=======================================================================
-brian
--
"Coding in C is like sending a 3 year old to do groceries. You gotta
tell them exactly what you want or you'll end up with a cupboard full of
pop tarts and pancake mix." -- IRC User (http://www.bash.org/?841435)
Yes, I have reported it to VMS engineering in India about an hour ago
(well I assume in India, the guys had subcontinent accents) and they
said they'd get back to me.
In the meantime, if CSWS has mod_rewrite, you might be able to produce a
temporary fix in the form of a rewrite rule that rips the ;* off the end[1]
of .php urls.
[1] Well, ok, might be the middle too, if it's a GET with parameters,
but that's just a slightly more involved pattern.
De
