Re: WebObjects App Open To Hackers - So I'm Told
Re: WebObjects App Open To Hackers - So I'm Told
- Subject: Re: WebObjects App Open To Hackers - So I'm Told
- From: "Jonathan Fleming" <email@hidden>
- Date: Tue, 08 Jul 2003 22:59:11 +0100
From: Marek Wawrzyczny <email@hidden>
To: "Jonathan Fleming" <email@hidden>
CC: email@hidden, email@hidden, email@hidden,
email@hidden, email@hidden, email@hidden,
email@hidden, email@hidden,
email@hidden
Subject: Re: WebObjects App Open To Hackers - So I'm Told
Date: Tue, 8 Jul 2003 13:26:00 +1000
Hi Jonathan,
Just wondering if you had a chance to speak to the Microsoft engineer. It
would be nice to have his actual concerns and responses to these concerns
archived in these mailing lists for future reference.
Guys I haven't forgotten about this, I'm still trying to get hold of him on
his home telephone number to get his comment but I'm getting no reply so
far. If I don't get hold of him tonight (UK time) I'll try and catch him at
work tomorrow, but don't worry i will get hold of him and will let you all
know what he was trying to say.
Jonathan
While there was a lot of (justified) ridicule about Microsoft's IIS in the
replies, the actual question asked may be asked by people considering
WebObjects. I had a brief look through the WebObjects site (in particular
WO overview) and failed to find any real discussion on the topic of
security. What seems obvious to us may not seem obvious to many, afterall,
prior to working with WebObjects I never had to deal with Apache's
adaptors.
On Friday, Jul 4, 2003, at 05:43 Australia/Sydney, Jonathan Fleming wrote:
On Thursday, July 3, 2003, at 10:58 AM, Jonathan Fleming wrote: OK
guys I hear what you are all saying so i'm going to give you the address
in question live:
http://217.65.164.40/cgi-bin/WebObjects.dll/JandM.woa/1/wa/Terms Is this
address a sucrity issue?
From : Alan Ward <email@hidden>
Not that I can tell. I tried hitting http://217.65.164.40/cgi-bin and got
a directory listing denied (which is good). I have seen people
misconfigure their web server such that you can do this to see what's in
their cgi-bin and potentially download it. Not sure you'd be able to
replace it though without exploiting some other web server hole.
Personally I would ask the Microsoft dude why he thinks it's a
vulnerability. Should be good for a laugh if nothing else ;-) Certainly
seems less vulnerable to me than the simple act of reading your email in
OutLook ;-)
I'm going to be talking with him later tonight (UK time) hopefully, I'll
let you all know what he says tomorrow.
<...snip...>
Thanks guys for all your replies and all were duelly noted
Kind regards
Joanthan :^)
ps will get back to you on Friday with what this engineer was talking
about.
Marek Wawrzyczny
software engineer
-------------------------->
ish group pty ltd
7 Darghan St Glebe 2037 Australia
phone +61 2 9660 1400 fax +61 2 9660 7400
http www.ish.com.au | email email@hidden
_________________________________________________________________
Use MSN Messenger to send music and pics to your friends
http://www.msn.co.uk/messenger
_______________________________________________
webobjects-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/webobjects-dev
Do not post admin requests to the list. They will be ignored.