date:20010918



Sorry for the off-topic post; there was a lot of discussion here of
CodeRed and Reuven's module to report attempted attacks.

Since this a.m. I have had hundreds of requests like:

/scripts/root.exe?/c+dir
/MSADC/root.exe?/c+dir
/c/winnt/system32/cmd.exe?/c+dir
/d/winnt/system32/cmd.exe?/c+dir
/scripts/..%5c../winnt/system32/cmd.exe?/c+dir
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir

etc.

They seem to come in batches of a dozen or more with slight variations in
the URI requested. I am thinking about adding support to CodeRed.pm (which
should probably be renamed if so) to report these attacks via e-mail in
the same way it does for CodeRed. Any interest in that? Or any info on
these bogus requests?

~~~
Nick Tonkin

Using APACHE::ASP objects into a AuthenHandler

2001-09-18 Thread willems Luc



Hello  ,

I have a quistion abous $Session objects. Is it possible to us this objects 
in a custom Authentication handler.

The idea is to use a ASP script to login the user and put some user info into 
the session object if the user is valid. After that i redirect the user 1 
level deeper. In this level only users with a valid session can acces any 
file (this includes html,asp and other files).

the idea is to do somthing like 

$session = Apache::ASP-Session;
blablabla


luc

RE: ANNOUNCE: Starting work on Apache::RedirectUnless

2001-09-18 Thread Christian Gilmore


Putting it into the auth phase would be appropriate, but I have to wonder
why this module is needed other than to refrain from keeping your
configuration file clean. Your unsecure virtual host should have no auth
statements in it if you want all auth to be on your secure virtual host...

You'll need to have your entire session where you want the user to
authenticate on the same virtual host, else the user will be prompted
multiple times or you will have a security gap if you're leaving it all up
to the service layer.

Regards,
Christian

 -Original Message-
 From: J. J. Horner [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, September 18, 2001 8:51 AM
 To: [EMAIL PROTECTED]
 Subject: ANNOUNCE: Starting work on Apache::RedirectUnless


 I have need of a module that will redirect to https anytime
 basic authentication is required.

 I figure the best way to do this is to step in at the authentication
 phase, and should authentication be required and the method be http,
 redirect to https for any and all basic authentication
 traffic.  Perhaps
 after this, redirect to http, if desired.

 Any comments or suggestions?

 Thanks,
 JJ

 --
 J. J. Horner
 H*,6d6174686c696e40326a6e6574776f726b732e636f6d
 ***
 H*,6a6a686f726e65724062656c6c736f7574682e6e6574

 Freedom is an all-or-nothing proposition:  either we
 are completely free, or we are subjects of a
 tyrannical system.  If we lose one freedom in a
 thousand, we become completely subjugated.

RE: Knowing if a apache server is compiled with mod_perl

2001-09-18 Thread Joe Breeden


Or you could do:

perl -nle 'print $_\n if m/mod_perl/' /path/to/error_log

where /path/to/error_log is the file pointed at by the ErrorLog directive in
you httpd.conf file.

--Joe Breeden

--
Sent from my Outlook 2000 Wired Deskheld (www.microsoft.com)


 -Original Message-
 From: Steven Lembark [mailto:[EMAIL PROTECTED]]
 Sent: Monday, September 17, 2001 3:07 AM
 To: [EMAIL PROTECTED]
 Subject: Re: Knowing if a apache server is compiled with mod_perl
 
 
 
 
 -- Mat [EMAIL PROTECTED]
 
  Hi everyone,
 I'd like to know if there is a simple way to find if an 
 apache server
  is compiled with mod_perl and with which version. My aim is 
 to write a
  script which compile mod_perl if it is not installed.
 For the moment
  I've found only two ways, launch the actual server and 
 telnet it to parse
  the server signature. But it has the disadvantages of 
 having the Apache
  server running and the server signature on.The other 
 way  would be to
  get the return of httpd -v, but I won't have the version 
 and I think this
  won't work if the module is compiled in dso.  So is it 
 possible from
  the Apache binary to check mod_perl ?
 
 If the server is compiled w/ mod_info check that for mod_perl.
 
 --
 Steven Lembark   
 2930 W. Palmer
 Workhorse Computing   
 Chicago, IL 60647
 
 +1 800 762 1582

RE: [OT] New Micro$oft vulnerability?

2001-09-18 Thread Matt Sergeant


 -Original Message-
 From: Nick Tonkin [mailto:[EMAIL PROTECTED]]
 
 Sorry for the off-topic post; there was a lot of discussion here of
 CodeRed and Reuven's module to report attempted attacks.
 
 Since this a.m. I have had hundreds of requests like:
 
 /scripts/root.exe?/c+dir
 /MSADC/root.exe?/c+dir
 /c/winnt/system32/cmd.exe?/c+dir
 /d/winnt/system32/cmd.exe?/c+dir
 /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
 /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
 /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
 
 etc.
 
 They seem to come in batches of a dozen or more with slight 
 variations in
 the URI requested. I am thinking about adding support to 
 CodeRed.pm (which
 should probably be renamed if so) to report these attacks via 
 e-mail in
 the same way it does for CodeRed. Any interest in that? Or any info on
 these bogus requests?

Lots of talk on Slashdot about this at the moment. Basically it's like Code
Red on steroids. It started spreading at about 9am GMT (we'll have a
bulletin out about it soon, keep checking http://www.messagelabs.com), and
has *already* reached critical mass. Our heuristical virus scanner stopped
spreading via email for all our customers, but we don't protect against
worms. The reason this is spreading via email too is that it modifies all
the files on your web server to add in a javascript popup attachment
containing readme.eml, which outlook dutifully opens and executes the
contents, spreading the worm even for people who don't run IIS (unless they
have our email virus protection service :-)

This one's gonna grind the net to a halt pretty quick. I hate to think what
this will mean for people running web servers at home over DSL (including me
soon).

Matt.

_
This message has been checked for all known viruses by Star Internet
delivered through the MessageLabs Virus Scanning Service. For further
information visit http://www.star.net.uk/stats.asp or alternatively call
Star Internet for details on the Virus Scanning Service.

Re: [OT] New Micro$oft vulnerability?

2001-09-18 Thread Wim Kerkhoff

Nick Tonkin wrote:

Sorry for the off-topic post; there was a lot of discussion here of
CodeRed and Reuven's module to report attempted attacks.

Since this a.m. I have had hundreds of requests like:

/scripts/root.exe?/c+dir
/MSADC/root.exe?/c+dir
/c/winnt/system32/cmd.exe?/c+dir
/d/winnt/system32/cmd.exe?/c+dir
/scripts/..%5c../winnt/system32/cmd.exe?/c+dir
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir

etc.

They seem to come in batches of a dozen or more with slight variations in
the URI requested. I am thinking about adding support to CodeRed.pm (which
should probably be renamed if so) to report these attacks via e-mail in
the same way it does for CodeRed. Any interest in that? Or any info on
these bogus requests?

Interesting... I'm getting many requests for those in my servers' logs
as well. Upon a little research, this appears to be TROJ_BLUECODE.A.
Basically its a worm looking for the Web Server Folder Traversal
Vulnerability in IIS.

Microsoft says the patch has been around for a while, but I wonder if it
is actually in the service packs available from Windows Update. The worm
really seems to be moving around... we're getting thousands of requests.
The REMOTE_HOST entries are interesting as well... nameservers...
domains with the word 'secure' in them... nice.

http://merilus.com/cgi-bin/advisory/advisory.cgi?advisory_id=324
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-078.asp

Regards,

Wim Kerkhoff, Software Engineer
Merilus, Inc. -|- http://www.merilus.com
Email: [EMAIL PROTECTED]

Re: [OT] New Micro$oft vulnerability?

2001-09-18 Thread Tom Servo


Slashdot has a report on this now, looks like a similar worm to CodeRed,
but this one tries to hit numerous vulnerabilities, including backdoors
left open by CodeRed.


Brian Nilsen
[EMAIL PROTECTED]

On Tue, 18 Sep 2001, Nick Tonkin wrote:

 
 Sorry for the off-topic post; there was a lot of discussion here of
 CodeRed and Reuven's module to report attempted attacks.
 
 Since this a.m. I have had hundreds of requests like:
 
 /scripts/root.exe?/c+dir
 /MSADC/root.exe?/c+dir
 /c/winnt/system32/cmd.exe?/c+dir
 /d/winnt/system32/cmd.exe?/c+dir
 /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
 /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
 /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
 
 etc.
 
 They seem to come in batches of a dozen or more with slight variations in
 the URI requested. I am thinking about adding support to CodeRed.pm (which
 should probably be renamed if so) to report these attacks via e-mail in
 the same way it does for CodeRed. Any interest in that? Or any info on
 these bogus requests?
 
 ~~~
 Nick Tonkin

Microsoft Access + Perl

2001-09-18 Thread Brice D Ruth


Am I assuming correctly, that Perl could communicate with a MS Access 
database file via ODBC, on a Windows box?  If so, are there any 
particular gotchas or limitations to this approach that I should be 
aware of?  I typically use MySQL or PostgreSQL on a Linux or FreeBSD 
box, so this is sorta new to me.  Also, is it possible for iODBC to 
communiate with a MS Access database file on a Linux box?  Is there any 
way to do this?  If, e.g. I wanted to setup Apache + mod_perl on a Linux 
box to access a local Access database file - what would I need?  Or is 
this not possible?

Any guidance is as always, appreciated :)

-Brice

Re: Microsoft Access + Perl

2001-09-18 Thread lembark




-- Brice D Ruth [EMAIL PROTECTED] on 09/18/01 10:57:26 -0500

 Am I assuming correctly, that Perl could communicate with a MS Access
 database file via ODBC, on a Windows box?  If so, are there any
 particular gotchas or limitations to this approach that I should be aware
 of?  I typically use MySQL or PostgreSQL on a Linux or FreeBSD box, so
 this is sorta new to me.  Also, is it possible for iODBC to communiate
 with a MS Access database file on a Linux box?  Is there any way to do
 this?  If, e.g. I wanted to setup Apache + mod_perl on a Linux box to
 access a local Access database file - what would I need?  Or is this not
 possible?

ODBC doc's pretty well describe the pitfalls -- beginning with ODBC 
itself.  Check perldoc DBD::ODBC.

dbi mailing list also has plenty of examples if you check the
archives.

sl

Re: ANNOUNCE: Starting work on Apache::RedirectUnless

2001-09-18 Thread 'J. J. Horner'


The problem with that solution is that we have 2 virtual hosts, one http, one https, 
on one
machine.  https is the only available transport outside of our network, while the http
server is available internally.

This is a production webserver, with existing information, applications, etc.  We don't
want to redesign our existing setup just to move content to a secure virtualhost when
someone wants to authenticate.  This approach allows us to keep things from the 
developer
side very transparent.  Developers can continue to maintain and create as usual, with 
the 
added step of a login being transferred by https method.

If I were designing a server from scratch, I would plan better, but since we are trying
to implement encrypted basic authentication after the server, sites, applications are 
in place,
we have to work around them.

With the AuthName set to one value across the server, we may be able to prevent too 
many logins.

We need to keep the same content on both virtualhosts as much as possible.

Ideas?  Comments?

Thanks,
JJ


* Christian Gilmore ([EMAIL PROTECTED]) [010918 11:36]:
 Putting it into the auth phase would be appropriate, but I have to wonder
 why this module is needed other than to refrain from keeping your
 configuration file clean. Your unsecure virtual host should have no auth
 statements in it if you want all auth to be on your secure virtual host...
 
 You'll need to have your entire session where you want the user to
 authenticate on the same virtual host, else the user will be prompted
 multiple times or you will have a security gap if you're leaving it all up
 to the service layer.
 
 Regards,
 Christian
 
  -Original Message-
  From: J. J. Horner [mailto:[EMAIL PROTECTED]]
  Sent: Tuesday, September 18, 2001 8:51 AM
  To: [EMAIL PROTECTED]
  Subject: ANNOUNCE: Starting work on Apache::RedirectUnless
 
 
  I have need of a module that will redirect to https anytime
  basic authentication is required.
 
  I figure the best way to do this is to step in at the authentication
  phase, and should authentication be required and the method be http,
  redirect to https for any and all basic authentication
  traffic.  Perhaps
  after this, redirect to http, if desired.
 
  Any comments or suggestions?
 
  Thanks,
  JJ
 
  --
  J. J. Horner
  H*,6d6174686c696e40326a6e6574776f726b732e636f6d
  ***
  H*,6a6a686f726e65724062656c6c736f7574682e6e6574
 
  Freedom is an all-or-nothing proposition:  either we
  are completely free, or we are subjects of a
  tyrannical system.  If we lose one freedom in a
  thousand, we become completely subjugated.
 

-- 
J. J. Horner
H*,6d6174686c696e40326a6e6574776f726b732e636f6d
***
H*,6a6a686f726e65724062656c6c736f7574682e6e6574

Freedom is an all-or-nothing proposition:  either we 
are completely free, or we are subjects of a
tyrannical system.  If we lose one freedom in a
thousand, we become completely subjugated.

 PGP signature

Apache-Roaming with Netscape-4-72

2001-09-18 Thread Ted Sariyski


Hi,

I apologize if I address my question to a wrong newsgroups. I was trying
to enable mod_perl Roaming user with Apache running on i386/RedHat7.x. I
followed all the steps in order to do so but when run Netscape-4.72 I
get the following in the Apache error log file:

/home/web/roaming/.htaccess: Invalid command 'tsariysk:ZJbPFKHxDasnx',
perhaps mis-spelled or defined by a module not included in the server
configuration

It seems that a perl module is trying to interpret .htaccess instead of
to authenticate. Here is my configuration. I installed
Apache-Roaming-0.1002 and in httpd.conf added the following lines: 

LoadModule perl_module/usr/lib/apache/libperl.so 
AddModule mod_perl.c 

and

PerlModule Apache::Roaming
Location /roaming/
limit GET PUT MOVE HEAD DELETE
  /Limit
  PerlHandler Apache::Roaming-handler
  PerlTypeHandler Apache::Roaming-handler_type
  AuthType Basic
  AuthName Roaming User
  AuthUserFile /home/web/roaming/.htaccess
  require valid-user
  PerlSetVar BaseDir /home/web/roaming
/Location

When I restart the server there are no complains. The error pops only
when the client try to connect to the server. I will appreciate any help
to fix what I am missing in my configuration.

Thanks in advance,
Ted

Re: Microsoft Access + Perl

2001-09-18 Thread Aleksandr Vladimirskiy


Hi, I have been running an Access DB on a Win2K box, and using perl to
populate an LDAP server on a Solaris server. The standard perl/DBI
distribution on the Windows machine comes with something called
DBI::Proxy. You run it as a daemon on the Windows box and any Unix based
perl script using DBI can see any ODBC data-sources available there. I
have been told by some people with more distributed DB experience that in
the end it is more efficient to migrate all data to a single server,
rather than deal with it being both in Access and some local SQL server.
such as MySQL.

Hope this helps,

Alex

On Tue, 18 Sep 2001, Brice D Ruth wrote:

 Am I assuming correctly, that Perl could communicate with a MS Access
 database file via ODBC, on a Windows box?  If so, are there any
 particular gotchas or limitations to this approach that I should be
 aware of?  I typically use MySQL or PostgreSQL on a Linux or FreeBSD
 box, so this is sorta new to me.  Also, is it possible for iODBC to
 communiate with a MS Access database file on a Linux box?  Is there any
 way to do this?  If, e.g. I wanted to setup Apache + mod_perl on a Linux
 box to access a local Access database file - what would I need?  Or is
 this not possible?

 Any guidance is as always, appreciated :)

 -Brice

Re: [OT] New Micro$oft vulnerability?

2001-09-18 Thread Adi Fairbank


I wish someone would just write a worm that would put these IIS machines out
of their misery and stop causing the rest of us such a headache.

Nick Tonkin wrote:
 
 Sorry for the off-topic post; there was a lot of discussion here of
 CodeRed and Reuven's module to report attempted attacks.
 
 Since this a.m. I have had hundreds of requests like:
 
 /scripts/root.exe?/c+dir
 /MSADC/root.exe?/c+dir
 /c/winnt/system32/cmd.exe?/c+dir
 /d/winnt/system32/cmd.exe?/c+dir
 /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
 /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
 /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
 
 etc.
 
 They seem to come in batches of a dozen or more with slight variations in
 the URI requested. I am thinking about adding support to CodeRed.pm (which
 should probably be renamed if so) to report these attacks via e-mail in
 the same way it does for CodeRed. Any interest in that? Or any info on
 these bogus requests?
 
 ~~~
 Nick Tonkin

Re: Apache-Roaming with Netscape-4-72

2001-09-18 Thread Tim Tompkins


.htaccess is the default access file name.   It is possible to change this
using the AccessFileName directive, but you'll very likely break something
as a result.  The recommended solution is to use a different name for your
password file.


Thanks,

Tim Tompkins
--
Programmer
http://www.arttoday.com/
http://www.rebelartist.com/
--
- Original Message - 
From: Ted Sariyski [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, September 18, 2001 10:12 AM
Subject: Apache-Roaming with Netscape-4-72


Hi,

I apologize if I address my question to a wrong newsgroups. I was trying
to enable mod_perl Roaming user with Apache running on i386/RedHat7.x. I
followed all the steps in order to do so but when run Netscape-4.72 I
get the following in the Apache error log file:

/home/web/roaming/.htaccess: Invalid command 'tsariysk:ZJbPFKHxDasnx',
perhaps mis-spelled or defined by a module not included in the server
configuration

It seems that a perl module is trying to interpret .htaccess instead of
to authenticate. Here is my configuration. I installed
Apache-Roaming-0.1002 and in httpd.conf added the following lines: 

LoadModule perl_module/usr/lib/apache/libperl.so 
AddModule mod_perl.c 

and

PerlModule Apache::Roaming
Location /roaming/
limit GET PUT MOVE HEAD DELETE
  /Limit
  PerlHandler Apache::Roaming-handler
  PerlTypeHandler Apache::Roaming-handler_type
  AuthType Basic
  AuthName Roaming User
  AuthUserFile /home/web/roaming/.htaccess
  require valid-user
  PerlSetVar BaseDir /home/web/roaming
/Location

When I restart the server there are no complains. The error pops only
when the client try to connect to the server. I will appreciate any help
to fix what I am missing in my configuration.

Thanks in advance,
Ted

RE: ANNOUNCE: Starting work on Apache::RedirectUnless

2001-09-18 Thread Christian Gilmore


A realm is defined by the following three things:

1) AuthName
2) ServerName (well, the server name in the URL actually)
3) Port (well, the port to which the browser is talking)

If these three things are not always the same, the browser will prompt the
user to re-authenticate. So, you cannot authenticate a user on your https
port and magically expect that information to be passed by the browser to
your http port. You'd have to do application-layer session handling with
some kind of shared information across services. There are security
implications to consider here...

Regards,
Christian

 -Original Message-
 From: 'J. J. Horner' [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, September 18, 2001 12:01 PM
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: Re: ANNOUNCE: Starting work on Apache::RedirectUnless


 The problem with that solution is that we have 2 virtual
 hosts, one http, one https, on one
 machine.  https is the only available transport outside of
 our network, while the http
 server is available internally.

 This is a production webserver, with existing information,
 applications, etc.  We don't
 want to redesign our existing setup just to move content to a
 secure virtualhost when
 someone wants to authenticate.  This approach allows us to
 keep things from the developer
 side very transparent.  Developers can continue to maintain
 and create as usual, with the
 added step of a login being transferred by https method.

 If I were designing a server from scratch, I would plan
 better, but since we are trying
 to implement encrypted basic authentication after the server,
 sites, applications are in place,
 we have to work around them.

 With the AuthName set to one value across the server, we may
 be able to prevent too many logins.

 We need to keep the same content on both virtualhosts as much
 as possible.

 Ideas?  Comments?

 Thanks,
 JJ


 * Christian Gilmore ([EMAIL PROTECTED]) [010918 11:36]:
  Putting it into the auth phase would be appropriate, but I
 have to wonder
  why this module is needed other than to refrain from keeping your
  configuration file clean. Your unsecure virtual host should
 have no auth
  statements in it if you want all auth to be on your secure
 virtual host...
 
  You'll need to have your entire session where you want the user to
  authenticate on the same virtual host, else the user will
 be prompted
  multiple times or you will have a security gap if you're
 leaving it all up
  to the service layer.
 
  Regards,
  Christian
 
   -Original Message-
   From: J. J. Horner [mailto:[EMAIL PROTECTED]]
   Sent: Tuesday, September 18, 2001 8:51 AM
   To: [EMAIL PROTECTED]
   Subject: ANNOUNCE: Starting work on Apache::RedirectUnless
  
  
   I have need of a module that will redirect to https anytime
   basic authentication is required.
  
   I figure the best way to do this is to step in at the
 authentication
   phase, and should authentication be required and the
 method be http,
   redirect to https for any and all basic authentication
   traffic.  Perhaps
   after this, redirect to http, if desired.
  
   Any comments or suggestions?
  
   Thanks,
   JJ
  
   --
   J. J. Horner
   H*,6d6174686c696e40326a6e6574776f726b732e636f6d
   ***
   H*,6a6a686f726e65724062656c6c736f7574682e6e6574
  
   Freedom is an all-or-nothing proposition:  either we
   are completely free, or we are subjects of a
   tyrannical system.  If we lose one freedom in a
   thousand, we become completely subjugated.
  

 --
 J. J. Horner
 H*,6d6174686c696e40326a6e6574776f726b732e636f6d
 ***
 H*,6a6a686f726e65724062656c6c736f7574682e6e6574

 Freedom is an all-or-nothing proposition:  either we
 are completely free, or we are subjects of a
 tyrannical system.  If we lose one freedom in a
 thousand, we become completely subjugated.

Re: [OT] New Micro$oft vulnerability?

2001-09-18 Thread Tom Servo


You're tellin' me, I've now had word come down that we need to do a full
audit of our Apache and *nix installations to make sure that they're okay.
Nevermind the fact that the only problems we have so far is people opening
up files called readme.exe in their e-mail.
*slapsforeheadinfrustration*

There are no stupid questions, but there are a lot of inquisitive idiots.

Brian Nilsen
[EMAIL PROTECTED]

On Tue, 18 Sep 2001, Adi Fairbank wrote:

 I wish someone would just write a worm that would put these IIS machines out
 of their misery and stop causing the rest of us such a headache.
 
 Nick Tonkin wrote:
  
  Sorry for the off-topic post; there was a lot of discussion here of
  CodeRed and Reuven's module to report attempted attacks.
  
  Since this a.m. I have had hundreds of requests like:
  
  /scripts/root.exe?/c+dir
  /MSADC/root.exe?/c+dir
  /c/winnt/system32/cmd.exe?/c+dir
  /d/winnt/system32/cmd.exe?/c+dir
  /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
  /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
  /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
  
  etc.
  
  They seem to come in batches of a dozen or more with slight variations in
  the URI requested. I am thinking about adding support to CodeRed.pm (which
  should probably be renamed if so) to report these attacks via e-mail in
  the same way it does for CodeRed. Any interest in that? Or any info on
  these bogus requests?
  
  ~~~
  Nick Tonkin

Re: [OT] New Micro$oft vulnerability?


http://www.torkington.com/vermicide.txt has a mod_perl handler to
catch the requests as soon as they arrive, and discard them with a
minimum of work to Apache.  If your web server is struggling under the
load, this might help.

The heuristic it uses for requests to ignore with prejudice is the
presence of root.exe, cmd.exe, or default.ida.  You might want to
tweak the regexp if those files are part of your web site :-)

Yes, it's ugly to put the code into your httpd.conf.  Consider this a
visual reminder to take it out once the worm scare has passed.

Nat

RE: ANNOUNCE: Starting work on Apache::RedirectUnless

2001-09-18 Thread Stephen Adkins


Hi,

I have been following this thread with interest because I have been
struggling with the same problem.  I define it this way.

 * To achieve secure authentication which is widely supported, you need
   to use Basic authentication over SSL
 * All URLs which can be accessed with HTTPS can be accessed with HTTP
 * I secure certain directories with .htaccess and all of the links
   in my site which point to them are via HTTPS, so as long as people
   always follow the links, they will never transfer the password
   in clear text (essentially) over the network using HTTP.
 * However, if they type the URL directly into the browser and they
   *forget* to use https but rather use http, their password
   is exposed to network sniffers.

I think that it was to solve this problem that J.J.Horner suggested
the module.  Any request to a secured area using HTTP would be
automatically redirected to the same URL with HTTPS instead.
Thus, the browser would never, ever be prompted to surrender the
authentication credentials (password) in the clear over HTTP.

Thus, I see great value to JJ's suggested module.

Is there an easier way to safeguard against Apache prompting for
a password over HTTP?

Stephen

At 01:41 PM 9/18/2001 -0500, Christian Gilmore wrote:
A realm is defined by the following three things:

1) AuthName
2) ServerName (well, the server name in the URL actually)
3) Port (well, the port to which the browser is talking)

If these three things are not always the same, the browser will prompt the
user to re-authenticate. So, you cannot authenticate a user on your https
port and magically expect that information to be passed by the browser to
your http port. You'd have to do application-layer session handling with
some kind of shared information across services. There are security
implications to consider here...

Regards,
Christian

 -Original Message-
 From: 'J. J. Horner' [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, September 18, 2001 12:01 PM
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: Re: ANNOUNCE: Starting work on Apache::RedirectUnless


 The problem with that solution is that we have 2 virtual
 hosts, one http, one https, on one
 machine.  https is the only available transport outside of
 our network, while the http
 server is available internally.

 This is a production webserver, with existing information,
 applications, etc.  We don't
 want to redesign our existing setup just to move content to a
 secure virtualhost when
 someone wants to authenticate.  This approach allows us to
 keep things from the developer
 side very transparent.  Developers can continue to maintain
 and create as usual, with the
 added step of a login being transferred by https method.

 If I were designing a server from scratch, I would plan
 better, but since we are trying
 to implement encrypted basic authentication after the server,
 sites, applications are in place,
 we have to work around them.

 With the AuthName set to one value across the server, we may
 be able to prevent too many logins.

 We need to keep the same content on both virtualhosts as much
 as possible.

 Ideas?  Comments?

 Thanks,
 JJ


 * Christian Gilmore ([EMAIL PROTECTED]) [010918 11:36]:
  Putting it into the auth phase would be appropriate, but I
 have to wonder
  why this module is needed other than to refrain from keeping your
  configuration file clean. Your unsecure virtual host should
 have no auth
  statements in it if you want all auth to be on your secure
 virtual host...
 
  You'll need to have your entire session where you want the user to
  authenticate on the same virtual host, else the user will
 be prompted
  multiple times or you will have a security gap if you're
 leaving it all up
  to the service layer.
 
  Regards,
  Christian
 
   -Original Message-
   From: J. J. Horner [mailto:[EMAIL PROTECTED]]
   Sent: Tuesday, September 18, 2001 8:51 AM
   To: [EMAIL PROTECTED]
   Subject: ANNOUNCE: Starting work on Apache::RedirectUnless
  
  
   I have need of a module that will redirect to https anytime
   basic authentication is required.
  
   I figure the best way to do this is to step in at the
 authentication
   phase, and should authentication be required and the
 method be http,
   redirect to https for any and all basic authentication
   traffic.  Perhaps
   after this, redirect to http, if desired.
  
   Any comments or suggestions?
  
   Thanks,
   JJ
  
   --
   J. J. Horner
   H*,6d6174686c696e40326a6e6574776f726b732e636f6d
   ***
   H*,6a6a686f726e65724062656c6c736f7574682e6e6574
  
   Freedom is an all-or-nothing proposition:  either we
   are completely free, or we are subjects of a
   tyrannical system.  If we lose one freedom in a
   thousand, we become completely subjugated.
  

 --
 J. J. Horner
 H*,6d6174686c696e40326a6e6574776f726b732e636f6d
 ***
 H*,6a6a686f726e65724062656c6c736f7574682e6e6574

Re: [OT] New Micro$oft vulnerability?


[Apologies if you get this twice--mailed it first from my oreilly.com
account, which may not be the address subscribed to this list]

http://www.torkington.com/vermicide.txt has a mod_perl handler to
catch the requests as soon as they arrive, and discard them with a
minimum of work to Apache.  If your web server is struggling under the
load, this might help.

The heuristic it uses for requests to ignore with prejudice is the
presence of root.exe, cmd.exe, or default.ida.  You might want to
tweak the regexp if those files are part of your web site :-)

Yes, it's ugly to put the code into your httpd.conf.  Consider this a
visual reminder to take it out once the worm scare has passed.

Nat

RE: [OT] New Micro$oft vulnerability?

2001-09-18 Thread Alex Porras


Adi Fairbank wrote:

 I wish someone would just write a worm that would put these 
 IIS machines out of their misery and stop causing the rest 
 of us such a headache.

I think that it would be a lot easier to write a worm that puts IIS admins
out of their misery--they're already busy applying dozens of incremental
patches as it is.  Only a few more worms are needed before disgruntled
admins call it quits.  =)

Re: [OT] New Micro$oft vulnerability?

2001-09-18 Thread Angel R. Rivera


you know guys, seems to me micro$not users should be thinking of
product liability claim.. i mean, if you buy cigs and get cancer and
can
win a lawsuit or if you buy hot coffee and put it between your legs
and
can win, this should a real slam dunk. 
At 12:09 PM 9/18/2001 -0700, Tom Servo wrote:
You're tellin' me, I've now had
word come down that we need to do a full
audit of our Apache and *nix installations to make sure that they're
okay.
Nevermind the fact that the only problems we have so far is people
opening
up files called readme.exe in their e-mail.
*slapsforeheadinfrustration*
There are no stupid questions, but there are a lot of inquisitive
idiots.


Angel R. Rivera, [EMAIL PROTECTED]
-

http://www.wolf.com 

Advocates for Wolves and Wolf Habitat
 On the web since 1994
-

RE: ANNOUNCE: Starting work on Apache::RedirectUnless

2001-09-18 Thread Christian Gilmore


Redirects in the non-secure virtual host to the secure virtual host would
certainly do the trick. The module does have value (better name would be
Apache::AuthRedirect, IMO), but it would be built for people to be lazy
about their configurations.

Regards,
Christian

--
Christian Gilmore
Team Lead
Web Infrastructure  Tools
IBM Software Group

 -Original Message-
 From: Stephen Adkins [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, September 18, 2001 3:09 PM
 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Subject: RE: ANNOUNCE: Starting work on Apache::RedirectUnless


 Hi,

 I have been following this thread with interest because I have been
 struggling with the same problem.  I define it this way.

  * To achieve secure authentication which is widely
 supported, you need
to use Basic authentication over SSL
  * All URLs which can be accessed with HTTPS can be accessed with HTTP
  * I secure certain directories with .htaccess and all of the links
in my site which point to them are via HTTPS, so as long as people
always follow the links, they will never transfer the password
in clear text (essentially) over the network using HTTP.
  * However, if they type the URL directly into the browser and they
*forget* to use https but rather use http, their password
is exposed to network sniffers.

 I think that it was to solve this problem that J.J.Horner suggested
 the module.  Any request to a secured area using HTTP would be
 automatically redirected to the same URL with HTTPS instead.
 Thus, the browser would never, ever be prompted to surrender the
 authentication credentials (password) in the clear over HTTP.

 Thus, I see great value to JJ's suggested module.

 Is there an easier way to safeguard against Apache prompting for
 a password over HTTP?

 Stephen

 At 01:41 PM 9/18/2001 -0500, Christian Gilmore wrote:
 A realm is defined by the following three things:
 
 1) AuthName
 2) ServerName (well, the server name in the URL actually)
 3) Port (well, the port to which the browser is talking)
 
 If these three things are not always the same, the browser
 will prompt the
 user to re-authenticate. So, you cannot authenticate a user
 on your https
 port and magically expect that information to be passed by
 the browser to
 your http port. You'd have to do application-layer session
 handling with
 some kind of shared information across services. There are security
 implications to consider here...
 
 Regards,
 Christian
 
  -Original Message-
  From: 'J. J. Horner' [mailto:[EMAIL PROTECTED]]
  Sent: Tuesday, September 18, 2001 12:01 PM
  To: [EMAIL PROTECTED]
  Cc: [EMAIL PROTECTED]
  Subject: Re: ANNOUNCE: Starting work on Apache::RedirectUnless
 
 
  The problem with that solution is that we have 2 virtual
  hosts, one http, one https, on one
  machine.  https is the only available transport outside of
  our network, while the http
  server is available internally.
 
  This is a production webserver, with existing information,
  applications, etc.  We don't
  want to redesign our existing setup just to move content to a
  secure virtualhost when
  someone wants to authenticate.  This approach allows us to
  keep things from the developer
  side very transparent.  Developers can continue to maintain
  and create as usual, with the
  added step of a login being transferred by https method.
 
  If I were designing a server from scratch, I would plan
  better, but since we are trying
  to implement encrypted basic authentication after the server,
  sites, applications are in place,
  we have to work around them.
 
  With the AuthName set to one value across the server, we may
  be able to prevent too many logins.
 
  We need to keep the same content on both virtualhosts as much
  as possible.
 
  Ideas?  Comments?
 
  Thanks,
  JJ
 
 
  * Christian Gilmore ([EMAIL PROTECTED]) [010918 11:36]:
   Putting it into the auth phase would be appropriate, but I
  have to wonder
   why this module is needed other than to refrain from keeping your
   configuration file clean. Your unsecure virtual host should
  have no auth
   statements in it if you want all auth to be on your secure
  virtual host...
  
   You'll need to have your entire session where you want
 the user to
   authenticate on the same virtual host, else the user will
  be prompted
   multiple times or you will have a security gap if you're
  leaving it all up
   to the service layer.
  
   Regards,
   Christian
  
-Original Message-
From: J. J. Horner [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 8:51 AM
To: [EMAIL PROTECTED]
Subject: ANNOUNCE: Starting work on Apache::RedirectUnless
   
   
I have need of a module that will redirect to https anytime
basic authentication is required.
   
I figure the best way to do this is to step in at the
  authentication
phase, and should authentication be required and the
  method be http,
redirect to https

Re: problems with BerkeleyDB and apache

2001-09-18 Thread Gustav Kristoffer Ek


On Mon, 17 Sep 2001, Ask Bjoern Hansen wrote:

[...]
 try,
 
   export LD_PRELOAD=/usr/local/lib/libdb3.so
 
 before you start apache.

It worked doing that. I first solved the problem by moving the db2 libs
and headers before I compiled, but you solution seams cleaner to me apart
from that I have to do it every time I start apache. What about compile
time options?


- gustav

-- 
1st graffitiist: QUESTION AUTHORITY!   2nd graffitiist: Why?
Gustav Kristoffer Ek  http://ek.dk/  +45 20 40 00 05

Re: ANNOUNCE: Starting work on Apache::RedirectUnless

2001-09-18 Thread Jimmy


On Tue, Sep 18, 2001 at 04:08:30PM -0400, Stephen Adkins wrote:
 Hi,
 
 I have been following this thread with interest because I have been
 struggling with the same problem.  I define it this way.
 
  * To achieve secure authentication which is widely supported, you need
to use Basic authentication over SSL
  * All URLs which can be accessed with HTTPS can be accessed with HTTP
  * I secure certain directories with .htaccess and all of the links
in my site which point to them are via HTTPS, so as long as people
always follow the links, they will never transfer the password
in clear text (essentially) over the network using HTTP.
  * However, if they type the URL directly into the browser and they
*forget* to use https but rather use http, their password
is exposed to network sniffers.

Do just like mod_proxy_add_forward.c but forward the port also.

/* fixup */
ap_table_set(r-headers_in, X-Port, ap_psprintf(r-pool, %u,
r-server-port ? r-server-port : ap_default_port(r)));

# PerlPost
my $forwarded_port = $r-header_in('X-Port');
if ($forwarded_port != 443)
{
# do something
} else {
# do this
}

Just a thought  

Jimmy

Re: [OT] New Micro$oft vulnerability?

2001-09-18 Thread lembark




-- Jeremy Howard [EMAIL PROTECTED] on 09/19/01 06:37:15 +1000


 This one's gonna grind the net to a halt pretty quick. I hate to think
 what
 this will mean for people running web servers at home over DSL (including
 me
 soon).
 
 Any suggestions on how we should respond? Update Apache::CodeRed to
 recognise the new signature, and send an appropriate message to postmaster
 and webmaster with an updated URL to point to?

Tickle your external filtering router and drop all packets to port 80.
You won't get anything done until this thing dies anyway, and especially
home systems can usually afford a few hours of downtime w/o the sky (or
aggravated users) falling around you.

sl

MSIISProbes.pm



Well, I had already hacked Reuven's CodeRed.pm because I disagreed that
one should only send mail to the bozos once a day. 

So I hacked around some more and made a new module heavily based on
CodeRed.pm that recognizes CodeRed and this new worm (Nimda?) and can be
extended to carp about the new Micro$oft worms sure to come out in the
future.

By default the module behaves in the opposite way to Reuven's
original; that is, it uses the cache to count attacks per worm per IP
address, and sends mail each time with the updated count (the idea being
to bug ISP admins into taking action against their clueless users more
quickly!). But you can configure it to only send mail once per period if
you want.

I used a real ugly mod_rewrite hack to grab the requests (I didn't want to
lump all reqs for root.exe or cmd.exe into the same 'worm') ... I'm sure
others can improve on that. (BTW am I right in thinking that RewriteEngine
on needs to be specified for each virtual host?)

You can grab a gzip'ed copy of this at
http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz; the source follows
below fyi.

Comments/flames welcome, as this is the first public code I've dared to
post here :)

-- nick


package Apache::MSIISProbes;

use strict;
use vars qw($VERSION);

use Apache::Constants qw(OK DECLINED FORBIDDEN);
use Mail::Sendmail;
use Net::DNS;
use Cache::FileCache;
use Time::Zone;

# 
# What version of the module is this?
$VERSION = 1.01;

# Shall we be verbose? Set to '1' to log each attempt.
# Set to '2' to log all mail failures. Set to '0' for silence!
my $DEBUG = 1;

# Hash of URLs describing how to fix these problems.
# The key must be the same as defined for $worm_name in httpd.conf
my %security_url = (
  'CodeRed' = 
'http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp',
  'Nimda'   = 'http:[EMAIL PROTECTED]',
);

# What From: header should be inserted into outgoing e-mail?
my $from_address = '[EMAIL PROTECTED]';

# Do you want to know when one of these alerts has been sent?
# If so, put your address here.
my $cc_address = '';

# Define the Cache::Cache options we want to use.  If nothing else,
# indicate whether the cache should expire or not. If we want to track
# the number of attempts per IP address (and thus send multiple copies
# of the mail) we never expire the cache (this the default behavior).
# If we want to be less noisy we only send mail once per period. We must
# specify when to purge the cache in this case: default value is one day
# [86400 seconds]).
my $store = 1; # set to false to only send one message per IP per period
my %cache_options = $store ? '' : ('default_expires_in' = 86400);

# List of regexps that should be ignored
my @ignore_ip = '';# ('192\.168\..*', '10\..*');

# To what address at SecurityFocus do we report the attack?
my $security_focus_address = '[EMAIL PROTECTED]';

# Where to get information on this module
my $module_url = 'http://www.tonkinresolutions.com/MSIISProbes.pm.html';

# 

sub handler {
# Get Apache request/response object
my $r = shift;

# Get the server name
my $s = $r-server();
my $server_name = $s-server_hostname();

# Create a DNS resolver, which we'll need no matter what.
my $res = new Net::DNS::Resolver;

# 
# Open the cache of already-responded-to IP addresses,
# which we're going to keep in /tmp, just for simplicity.
#
# Use the environment var set by Apache to decide which part
# of the cache to use
my $worm_name = $r-dir_config('worm_name');
$cache_options{'namespace'} = $worm_name || 'Default';
my $file_cache = new Cache::FileCache(\%cache_options);

unless ($file_cache) {
$r-log_error(MSIISProbes: Could not instantiate FileCache.  Exiting.);
return DECLINED;
}

# Get the HTTP client's IP address.  We'll use this to
#  send mail to the people who run the domain.
my $remote_ip_address = $r-get_remote_host();

# If we don't have the remote IP address, then we cannot send mail
# to the remote server, can we?  Let's just stop now, while we're at it.
unless (defined $remote_ip_address) {
$r-warn(MSIISProbes: Undefined remote IP address!  Exiting.);
return DECLINED;
}

# If we have the remote IP address, then check to see
# if it's in our cache.
my $count = $file_cache-get($remote_ip_address);

# We update the cache with the new count no matter what,
# although the count may be cleared (if the mail fails)
$file_cache-set($remote_ip_address, ++$count);

if ($count  1) {
if ($store) {
# We go ahead anyway
$DEBUG  $r-warn(MSIISProbes: Attack number [$count] with [$worm_name] 
from [$remote_ip_address].  Re-mailing.);
} else {

Re: [OT] New Micro$oft vulnerability?


Tim Peoples writes:
 This 'Apache::Vermicide' module, installed as a 'PerlPostReadRequestHandler',
 seems to be preventing any 'PerlSetEnv' directives from being parsed out
 of a '.htaccess' file (or equivalent).  IOW, the ENV vars aren't getting
 set properly.
 
 I'm investigating how to remedy this issue.

Whoops!  Returning OK terminates the PostReadRequest phase,
apparently.  Changing that to return DECLINED made PerlSetEnv work
again.  Sorry,

Nat

Re: MSIISProbes.pm




On Tue, 18 Sep 2001, Emad Fanous wrote:

 any reason why the private address spaces between
 172.16.0.0-172.31.255.255 wasn't in your list of ignored
 ips?
 
 Thanks
 Emad


That came from the original author's CodeRed.pm. But it's considered a
configurable variable.

~~~
Nick Tonkin

Re: MSIISProbes.pm

2001-09-18 Thread Ask Bjoern Hansen


On Tue, 18 Sep 2001, Nick Tonkin wrote:

 I used a real ugly mod_rewrite hack to grab the requests (I didn't want to
 lump all reqs for root.exe or cmd.exe into the same 'worm') ... I'm sure
 others can improve on that. (BTW am I right in thinking that RewriteEngine
 on needs to be specified for each virtual host?)

Yes,

RewriteEngine on
RewriteRule ...
[...]

virtualhost ...
  [...]
  RewriteEngine on
  RewriteOptions inherit
/virtualhost

or something like that for each VirtualHost is your friend.

:-)

-- 
ask bjoern hansen, http://ask.netcetera.dk/ !try; do();
more than a billion impressions per week, http://valueclick.com

Re: [OT] New Micro$oft vulnerability?


Tim Peoples writes:
 I tried doing the s/OK/DECLINED/ thing and it didn't do the trick.  :-(

You're right, it was the restart that did it.  OK/DECLINED makes no
difference in that handler.

I'm seeing, with or without my handler, the PerlSetEnv stuff only
happening once per connection rather than once per request.

That is, the first time I hit a printenv page, I see the envariables.
The second, third, etc. times I don't.  Unless I wait a while, in
which case my browser closes the persistent connection to the server,
and then the next load of the printenv page displays the variables
again.

As I say, this happens regardless of whether or not I enable the
PostReadRequest handler.

 I forgot to mention that this is in combination with HTML::Mason,
 but I doubt that should have any effect.

I'm seeing it in mod_perl 1.22 on Apache 1.3.12 on FreeBSD, without
Mason.

Nat

Re: MSIISProbes.pm



On Tue, 18 Sep 2001, Ask Bjoern Hansen wrote:

 On Tue, 18 Sep 2001, Nick Tonkin wrote:
 
  I used a real ugly mod_rewrite hack to grab the requests (I didn't want to
  lump all reqs for root.exe or cmd.exe into the same 'worm') ... I'm sure
  others can improve on that. (BTW am I right in thinking that RewriteEngine
  on needs to be specified for each virtual host?)
 
 Yes,
 
 RewriteEngine on
 RewriteRule ...
 [...]
 
 virtualhost ...
   [...]
   RewriteEngine on
   RewriteOptions inherit
 /virtualhost
 
 or something like that for each VirtualHost is your friend.
 
 :-)

Well, yeah, I figgered that out :) But it should inherit, sez I.

-nick

 
 -- 
 ask bjoern hansen, http://ask.netcetera.dk/ !try; do();
 more than a billion impressions per week, http://valueclick.com

Nimda worm



Heh, as Nat maybe saw the worm doesn't always request ?/c+dir, so until I
can figure out a better way to identify it we'll have to go with
cmd.exe|root.exe

so my httpd.conf is now:

Location /default.ida
SetHandler perl-script
PerlHandler Apache::MSIISProbes
PerlSetVar worm_name CodeRed
/Location

LocationMatch (cmd.exe|root.exe)   
SetHandler perl-script
PerlHandler Apache::MSIISProbes
PerlSetVar worm_name Nimda
/LocationMatch





~~~
Nick Tonkin

Mod_perl woes

2001-09-18 Thread brooks roy


Hello, I have just installed mod_perl into my Apache 1.3.20 install :).. I
have apache+mod_ssl+mod_frontpage+php.

When ever I apachectl start it start up fine but when I try to load a
webpage, it says it cannot access the specified URL, here is a capture of
the error_log.


Any ideas are appreciated... thanks



[Tue Sep 18 16:11:20 2001] [notice] Apache/1.3.20 (Unix) FrontPage/4.0.4.3
mod_perl/1.26_01-dev PHP/4.0.6 configured -- resuming normal operations
[Tue Sep 18 16:11:22 2001] [notice] child pid 25702 exit signal Segmentation
fault (11)
[Tue Sep 18 16:11:23 2001] [notice] child pid 25704 exit signal Segmentation
fault (11)
[Tue Sep 18 16:11:24 2001] [notice] child pid 25707 exit signal Segmentation
fault (11)
[Tue Sep 18 16:11:24 2001] [notice] child pid 25706 exit signal Segmentation
fault (11)
[Tue Sep 18 16:11:24 2001] [notice] child pid 25703 exit signal Segmentation
fault (11)
[Tue Sep 18 16:11:28 2001] [notice] child pid 25708 exit signal Segmentation
fault (11)
[Tue Sep 18 16:11:29 2001] [notice] child pid 25709 exit signal Segmentation
fault (11)
[Tue Sep 18 16:11:36 2001] [notice] child pid 25710 exit signal Segmentation
fault (11)
[Tue Sep 18 16:11:42 2001] [notice] child pid 25711 exit signal Segmentation
fault (11)
[Tue Sep 18 16:11:45 2001] [notice] child pid 25713 exit signal Segmentation
fault (11)
[Tue Sep 18 16:11:46 2001] [notice] child pid 25712 exit signal Segmentation
fault (11)



--Brooks Roy

Re: Mod_perl woes

2001-09-18 Thread Jeffrey W. Baker




On Tue, 18 Sep 2001, brooks roy wrote:

 Hello, I have just installed mod_perl into my Apache 1.3.20 install :).. I
 have apache+mod_ssl+mod_frontpage+php.

 When ever I apachectl start it start up fine but when I try to load a
 webpage, it says it cannot access the specified URL, here is a capture of
 the error_log.

Three ideas:

1) Make sure that Apache, Perl, mod_perl, mod_php, and whatever else are
all compiled with large file support, or without it, consistently

2) Make sure that PHP isn't using its built-in mysql driver

3) Check the order of your module loading

Personally, I think you should just build php and perl in statically
instead of via DSO.

-jwb

Re: Using APACHE::ASP objects into a AuthenHandler

2001-09-18 Thread Joshua Chamas


willems Luc wrote:
 
 Hello  ,
 
 I have a quistion abous $Session objects. Is it possible to us this objects
 in a custom Authentication handler.
 
 The idea is to use a ASP script to login the user and put some user info into
 the session object if the user is valid. After that i redirect the user 1
 level deeper. In this level only users with a valid session can acces any
 file (this includes html,asp and other files).
 
 the idea is to do somthing like
 
 $session = Apache::ASP-Session;
 blablabla
 

I have just added support for this kind of thing in 
my dev version Apache::ASP 2.23 

This is not optimized, where the ASP object will end up 
getting created twice during the request, but for most 
this would not be an issue. If the performance hit is 
a problem, I will have to devise a cross handler 
caching mechanism for the ASP object.

Here's the note from CHANGES so far:

 +New API for accessing ASP object information in non content
  handler phases:

use Apache::ASP;
sub My::Auth::handler {
  my $r = shift;
  my $ASP = Apache::ASP-new($r) 
  my $Session = $ASP-Session;
}

  In the above example, $Session would be the same $Session
  object created later while running the ASP script for this
  same request.  

I will send it to you separately.  Also, I will send you
my latest MLDBM::Sync .15 on which Apache::ASP will depend
next release.

--Josh
_
Joshua Chamas   Chamas Enterprises Inc.
NodeWorks Founder   Huntington Beach, CA  USA 
http://www.nodeworks.com1-714-625-4051

RE: [OT] New Micro$oft vulnerability?

2001-09-18 Thread Geoffrey Young


 

 I'm seeing, with or without my handler, the PerlSetEnv stuff only
 happening once per connection rather than once per request.

I think this was addressed for 1.26

http://marc.theaimsgroup.com/?t=9946915503w=2r=1

however, as you can see at the end of the thread, I don't think the problem
is fixed yet.  Doug hasn't had the time to look into the issue further (at
least as of a few weeks ago when I pinged him about it).

--Geoff

Re: modperl Digest 17 Sep 2001 14:50:16 -0000 Issue 545

2001-09-18 Thread Stas Bekman


On Tue, 18 Sep 2001, Roger Espel Llima wrote:

 Stas Bekman [EMAIL PROTECTED] wrote:
  Also check the archives for 'lingerd' keyword. Here is what I've but it
  didn't enter the guide yet, since it's waiting to be reviewed by Roger
  Espel Llima, the author of lingerd. ...and waiting, and waiting, and
  waiting :(

 sorry, I've had a bunch of lingerd work in my todo list for so long,
 and i haven't got around to doing it yet...

 when you sent me the guide snippet to check, I felt like I wanted to
 change some things, but now that I re-read it, the information seems
 to be perfectly correct.  I'd just switch the first two paragraphs
 around, to start with the sentence that introduces where lingerd
 fits in the Apache/mod_perl picture...

cool, will switch and add to the guide.

  Let me know if it was useful and correct, and I'll put it into the guide.

 It is... sorry for the long delay.

no prob at all :)

Thanks Roger!

_
Stas Bekman  JAm_pH --   Just Another mod_perl Hacker
http://stason.org/   mod_perl Guide  http://perl.apache.org/guide
mailto:[EMAIL PROTECTED]   http://apachetoday.com http://eXtropia.com/
http://singlesheaven.com http://perl.apache.org http://perlmonth.com/

cvs commit: modperl-2.0/t/protocol eliza.t


stas01/09/18 08:20:12

  Modified:t/protocol eliza.t
  Log:
  - test_module has gone, s/test_module/have_module/
  
  Revision  ChangesPath
  1.2   +1 -1  modperl-2.0/t/protocol/eliza.t
  
  Index: eliza.t
  ===
  RCS file: /home/cvs/modperl-2.0/t/protocol/eliza.t,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- eliza.t   2001/09/06 02:45:13 1.1
  +++ eliza.t   2001/09/18 15:20:11 1.2
  @@ -10,7 +10,7 @@
   'I feel like writing some tests today, you?',
   'good bye');
   
  -plan tests = 1 + @test_strings, test_module 'Chatbot::Eliza';
  +plan tests = 1 + @test_strings, have_module 'Chatbot::Eliza';
   
   my $socket = Apache::TestRequest::vhost_socket('TestProtocol::eliza');

cvs commit: modperl-2.0/util apr_arg_check.pl apr_pool_check.pl cvsize.pl source_stats.pl


stas01/09/18 09:12:51

  Modified:util apr_arg_check.pl apr_pool_check.pl cvsize.pl
source_stats.pl
  Log:
  adding shebang and making most of the utils executable, since they can use
  generic perl
  
  Revision  ChangesPath
  1.2   +2 -0  modperl-2.0/util/apr_arg_check.pl
  
  Index: apr_arg_check.pl
  ===
  RCS file: /home/cvs/modperl-2.0/util/apr_arg_check.pl,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- apr_arg_check.pl  2001/03/04 23:43:36 1.1
  +++ apr_arg_check.pl  2001/09/18 16:12:51 1.2
  @@ -1,3 +1,5 @@
  +#!/usr/bin/perl -w
  +
   use lib qw(lib);
   
   use strict;
  
  
  
  1.2   +2 -0  modperl-2.0/util/apr_pool_check.pl
  
  Index: apr_pool_check.pl
  ===
  RCS file: /home/cvs/modperl-2.0/util/apr_pool_check.pl,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- apr_pool_check.pl 2001/03/16 02:32:43 1.1
  +++ apr_pool_check.pl 2001/09/18 16:12:51 1.2
  @@ -1,3 +1,5 @@
  +#!/usr/bin/perl -w
  +
   #check which apr_ functions do not have access to a pool
   
   use lib qw(lib);
  
  
  
  1.3   +2 -0  modperl-2.0/util/cvsize.pl
  
  Index: cvsize.pl
  ===
  RCS file: /home/cvs/modperl-2.0/util/cvsize.pl,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- cvsize.pl 2001/09/18 16:05:16 1.2
  +++ cvsize.pl 2001/09/18 16:12:51 1.3
  @@ -1,3 +1,5 @@
  +#!/usr/bin/perl -w
  +
   #get an idea of how much space the XS interface will eat
   #build/source_scan.pl must be run first
   #see pod/modperl_sizeof.pod
  
  
  
  1.2   +2 -0  modperl-2.0/util/source_stats.pl
  
  Index: source_stats.pl
  ===
  RCS file: /home/cvs/modperl-2.0/util/source_stats.pl,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- source_stats.pl   2001/03/04 23:38:22 1.1
  +++ source_stats.pl   2001/09/18 16:12:51 1.2
  @@ -1,3 +1,5 @@
  +#!/usr/bin/perl -w
  +
   use lib qw(lib);
   
   use strict;

cvs commit: modperl-2.0/util perl_bloat.pl


stas01/09/18 09:16:18

  Added:   util perl_bloat.pl
  Log:
  adding a useful utility that reports how much bloat some perl code adds
  
  Revision  ChangesPath
  1.1  modperl-2.0/util/perl_bloat.pl
  
  Index: perl_bloat.pl
  ===
  #!/usr/bin/perl -w
  
  use GTop ();
  
  my $gtop = GTop-new;
  my $before = $gtop-proc_mem($$)-size;
  
  for (@ARGV) {
  if (eval require $_) {
  eval {
  $_-import;
  };
  }
  else {
  eval $_;
  die $@ if $@;
  }
  }
  
  my $after = $gtop-proc_mem($$)-size;
  
  printf @ARGV added %s\n, GTop::size_string($after - $before);

cvs commit: modperl-2.0/build - New directory