- When we say "Upgrade!" you must do what we say, not do what we do
- We're still waiting for our order to be delivered
- It's not broke, and we dont need to fix it.
- We're less of a target for attackers. There's no kudos in hacking anything more than 5 years old.
- We've been evaluating Linux, and have not yet reached a decision.
- It's just the front end machines. Everything else has been running Windows 2003 for months. Honest!
- The cobblers children didnt have shoes, either.
- That site doesnt see a lot of traffic. It just redirects to www.euro.dell.com
- If you think that running NT4 doesnt do a lot for our product advocacy, then you haven't seen what our evil competitor runs
Posted by Mike Prettejohn in Dogfood
The increasing availability and falling costs of high bandwidth connections have posed a question to the continuing relevance of the Linux distribution industry. In 1995 only the very determined would have downloaded the Linux operating system over a 28.8K connection rather than pay for a CD, but equiped with a cable or DSL connection, the CD becomes much more optional.
Mandrake compounded this scenario by some commercially curious behaviour, making freely downloadable images of each new release available over the internet well before their CD editions were available. Mandrake's approach was popular but seemed to actively encourage people to download the new releases rather than buy CDs. More opportunistic companies have been able to sell CDs of new Mandrake releases for weeks before Mandrake's own boxed sets became available.
Sun launched its Identity Server this week, which is positioned as the first component of the Liberty Alliance single sign-on scheme for web site authentication. When the Liberty Alliance was first announced, it seemed that its position was hopeless, as Microsoft Passport and AOL SNS already had their systems implemented and deployed. However, Passport and SNS have not by any means become pervasive, with this months survey finding fewer than 100 unique sites using these systems and Liberty now seems to have a plausible chance to compete with the established systems.
This month is the first time that a Windows 2000 site has appeared in the 50 top sites which have the longest period of time since last reboot. www.byteandswitch.com has been running continuously since November 2000. When we first started graphing web servers uptime in the summer of 2000, many people were skeptical that a Windows machine would ever make the top 50. Perceptions change, and although two years is exceptional, several Windows 2000 sites have run for more than a year without a reboot. In the hosting industry, Microsoft partners Interliant and Devine each have sites that have not been rebooted in over a year, while Microsoft has also run several of its own sites for over a year between reboots.
www.intel.com is one of a very small number of well known sites running both Windows 2000 and Windows 2003 in a load balanced pool, and has become a tempting target for people to use as a straw in the wind towards the relative performance of the two operating systems. One person mailed us saying he thought that the Intel site's response time had slowed since Intel started using Windows 2003, and asked for confirmation and explanation.
The performance of www.intel.com shows a saw tooth formation, with some responses consistently longer than others. Matching up the response times with the corresponding server signatures actually does confirm that the responses served by Microsoft-IIS/6.0 are consistently longer than those served by Microsoft-IIS/5.0.
Analysing the response time graph more carefully shows that the connection time and time to serve the first byte are consistent across the two sets of servers, but the time to serve the complete request is significantly higher on the Microsoft-IIS/6.0 servers.
London at Mid-day on 16 Jan 2003 by web server
It is important to appreciate that the difference need not be directly caused by the system software. Other plausible reasons could include;
- The hardware specification of the Microsoft-IIS/5.0 machines may be faster than those running Microsoft-IIS/6.0
- The configuration of the systems is likely to be different
- From looking at the tcp/ip characteristics, we think it is likely that the www.intel.com front page is served dynamically, and the migration of the application that generates the dynamic content may have introduced a performance penalty
- The configuration of the local network at Intel may have disadvantaged the Microsoft-IIS/6.0 machines in some way.
Posted by Mike Prettejohn in Dogfood
JRun Java application server from Allaire. All current versions (with latest security patches as of November 2001) are believed to be affected, including 2.3.3, 3.0, and 3.1.
Revealing of source code to Java Server Pages, and other protected files inside the web root.
Web sites using vulnerable products as stated above
Vendor notified: 22nd October, 2001
JRun supports a number of different technologies for dynamically generated content, most importantly Java Server Pages. One lesser-used feature is the support for Server Side Includes (SSI); this is a much simpler language than JSP, which is primarily for including the text of other files on the server (for instance adding standard headers or footers to otherwise static pages), and also supports invoking servlets. By default, the file extension .shtml is assigned to the SSI handler.
Unfortunately, a flaw in the server side component that processes requests for SSI pages means that user supplied data can be included in the SSI processing. A remote user can submit requests containing data which will be processed by the SSI filter; as a result the user can cause the server to execute arbitrary SSI code.
When a request for an SSI page is submitted to the server, and the page does not exist, the SSI handler "falls back" on the body of the HTTP request itself. Usually an HTTP request does not contain a body, but a malicious user can easily construct a request with a body containing SSI commands. These can be used to include the source to other files on the server. For example, a request such as:
GET /nosuch.shtml HTTP/1.0 Content Length: 38 <!--#include virtual="/index.jsp"-->
would return the source of the
index.jsp page (subject to SSI
processing - so servlet tags may be replaced, but most JSP source would be
passed through unmodified).
It should be noted that the
include directive does not go through
the usual URL processing - for example includes of
.jsp files are
not done by the JSP handler,
hence the source code to
.jsp's can be obtained.
It also bypasses any access controls enforced by the web server
(so files in protected directories such as the
/WEB-INF/ directory can be accessed).
However, it was not possible to access files outside of the web root in the cases
that Netcraft tested.
Netcraft also verified that it was possible to execute Java servlets on the
server using this vulnerability. As it is common to expose these via
/servlet/ URL mapping, this does not give the attacker any new
advantage in the normal setup but could be considered a problem by
sites that have disabled the
As a workaround, sites using JRun can disable the SSI support on the web
server, as this is not required for any other features of the server including
Java Server Pages, so few sites actually require this functionality.
This involves both disabling the .shtml extension mapping to SSI handling,
/servlet/ method of invoking the servlet which does SSI
(the latter can be done by either disabling the /servlet/ mapping if it is not
used, or by blocking access to the particular servlet affected -
allaire.jrun.ssi.SSIFilter for JRun 3.x,
com.livesoftware.jrun.plugins.ssi.SSIFilter on JRun 2.3.x).
See the security bulletin from Allaire for detailed information on making this
Vendor Patches and Comments
Allaire have responded promptly to Netcraft's initial report of this problem. They have confirmed that this is a security problem in the JRun versions listed. A patch is expected to be included in the next rollup patch for JRun. In the meantime they have released a security bulletin to notify customers of this problem, and advise a workaround by disabling SSI.
This information is provided on an AS IS basis in the hope that it is useful in securing vulnerable computer systems; however Netcraft cannot guarantee its accuracy or accept responsibility for any damage resulting from the release of this advisory.
This is one of many vulnerabilities tested by Netcraft's security testing services. Please see http://news.netcraft.com/archives/security.html for more information.
Posted by Martyn Tovey in Security
Your link here? Advertising on the Netcraft Blog