[BlueOnyx:00373] Re: Questions about BlueOnyx...

Ken Marcus - Precision Web Hosting, Inc. kenmarcus at precisionweb.net
Sat Jan 24 22:28:47 -05 2009 

> Hi Darrell,
>
>> Are there any issues CMUexport/importing a machine with a website the 
>> same
>> name as the hostname?  If the machine's host name is www.domain.com, is
>> this a problem?
>
> As on BlueQuartz the server name cannot be identical to that of a site. 
> This
> has been the case on BlueQuartz for like 2-3 years now - if I recall
> correctly. The issue here is that Sendmail otherwise has issues resolving
> local users.
>
> CMU between BlueQuartz and BlueOnyx works just fine.
>
>> It is posted that an upgrading procedure that explains how
>> to upgrade a BlueQuartz to BlueOnyx will also be made available shortly.
>> Would it be more advantageous to simply wait until this has been 
>> completed?
>
> Depends. In any case the upgrade procedure will not be for the faint at 
> heart.
> After all, even the CentOS developers recommend a reinstall instead of an
> upgrade between CentOS4 to CentOS5. This is for a good reason. To some 
> degree
> our procedure works around that, but the more modifications your 
> BlueQuartz
> server already has, the more tricky the upgrade will get. And we cannot 
> (nor
> will we) gurantee that the upgrade won't result in a total trainwreck -
> despite all the precautions we're taking.
>
> Hence: CMU will be risk free, the upgrade will be .... tricky at best.
>
>>  Also, does CMUexport/import pick up cron jobs and other things in the 
>> root
>> user's directory?
>
> No, CMU never did that.
>
>> Specifically, I would like to ask about the following four software
>> packages that I have installed on my BQ machine, which are used often:
>>
>> 1. Majordomo.  What is the status of BO's Majordomo installation as
>> migrated/adopted from BQ?  I have an operating Majordomo on my box and do
>> not want to lose it.
>
> CMU takes care of that.
>
>> 2. Awstats.  I am using the webmerch.com "AWStats v6.5 for the BQ 
>> Appliance
>> Server" software.  Will this run on BO?
>
> AWStats 6.5 is quite outdated. You should grab a more recent copy 
> somewhere.
> No idea if that PKG will work on BlueOnyx, as I don't know how it was 
> built.
>
>> 3. OpenWebmail 2.51 by forhire.  I am not a SquirrelMail fan, and prefer
>> OpenWebMail.  Has anyone tried to install this or know of a packaged that
>> works?
>
> No idea if that will work. I know that PKG, but would rather not like to
> comment on it. I'll have an OpenWebmail PKG for BlueOnyx ready in a few 
> days.
>
>> 4. ZendOptimizer 2.5.10. webmerch.com's "Zend Optimizer v2.5.10 for the 
>> BQ
>> Appliance Server".  Does BO have a Zend package?
>
> That Zend Optimizer version already has gathered a lot of dust. It may not
> work - not sure there. Might be worth a try. However, installing Zend
> Optimizer from the command line is fairly easy. However, it typically will
> conflict with the IonCube Loader which is already built into BlueOnyx. 
> Unless
> IonCube is loaded prior to Zend Optimizer. So it may be a good idea if I
> include Zend by default in BlueOnyx. Need to check their license again to 
> see
> if that's an option. If so, it'll be included soonish.
>
>> The other software installed on my machine that isn't as critical to me 
>> is:
>>
>> 5. Chilisoft ASP. It shows "Sun Java System Active Server Pages 4.0" from
>> NuOnce.Net as the source. Will BO run the same Chilisoft ASP packages 
>> that
>> I have installed and operating now?
>
> At the moment there is no GUI to integrate ChiliSoft ASP into BlueOnyx, 
> but
> the server side "stuff" of it that can be downloaded at the Sun website 
> should
> work. I'll be looking into ASP soonish to make it available in one form or
> another for BlueOnyx.
>
>> 6. DevTools. This is the webmerch.com "DevTools v1.01 for BQ Appliance
>> Server". This looks like it is built in, or something similar to it.
>
> Don't know exactly what that is, but if it's the development tools for 
> Linux
> (gcc, automake, autoconf, etc. pp.), then you can install all that through
> YUM.
>
>> 7. Dincom_System_GUI. This is the "1.0.1 System Information GUI" software
>> from dincom.co.uk.  It may be built in or something similar.
>
> Isn't that a PKG'ized phpSysinfo? If so, it's already included in BlueOnyx 
> by
> default.
>
>> 8. FrontPage 2002.  This is the NuOnce.net "Frontpage 2002 Support"
>> software.  Will this install?
>
> No! Frontpage support for Linux was discontinued by Mircosoft a couple of
> years ago. And the old Linux sources for Frontpage don't work with 
> Apache-2.2
> anymore. Even if they would, the licensing would not permit using it 
> anymore.
> So Frontpage support is dead and it won't come back.
>
>> 9. GCC Compile Tools for CentOS. NuOnce.Net's "GCC Tools v4.2".  This 
>> would
>> be beneficial at some point.
>
> See above. GCC and any Linux development tools can be installed through 
> YUM.
>
>> 10. Midnight Commander. Solarspeed.net's 4.6.1 command line utility.
>
> Already installed on BlueOnyx.
>
>> 11. NuOnce_Hosts_Fix. NuOnce.Net's "Hosts file generator".
>
> Already installed on BlueOnyx.
>
>> 12. YUM Update GUI 2.0.2. Nuonce.net & Solarspeed.net's GUI to manage YUM
>> Updates
>
> Already installed on BlueOnyx.
>
>> 13. mod_auth_external 2.1. NuOnce.Net's "mod_auth_external" software.
>
> Already installed on BlueOnyx.
>
> -- 
> With best regards
>
> Michael Stauber
>

One more comment on the Chillisoft ASP, it seems the current version 
thatthat package was avaialable for has some vulnerabilities:

>>
Description :

The remote host is running Sun Java System Active Server Pages (ASP),
or an older variant such as Sun ONE ASP or Chili!Soft ASP.

The web server component of the installed version of Active Server
Pages on the remote host is affected by several vulnerabilities :

- A flaw in an include file used by several of the
administration server's ASP applications allows an
attacker to write arbitrary data to a file specified
by an attacker on the affected host. This issue does
not affect ASP Server on a Windows platform
(CVE-2008-2401).

- Password and configuration data are stored in the
administration server's web root and can be retrieved
without credentials. This issue does not affect ASP
Server on a Windows platform (CVE-2008-2402).

- Multiple directory traversal vulnerabilities exist in
several of the administration server's ASP
applications can be abused to read or even delete
arbitrary files on the affected host. This issue does
not affect ASP Server on a Windows platform
(CVE-2008-2403).

- A stack buffer overflow allows code execution in the
context of the ASP server (by default root) and can be
exploited without authentication (CVE-2008-2404).

- Several of the administration server's ASP applications
fail to filter or escape user input before using it to
generate commands before executing them in a shell.
While access to these applications nominally requires
authentication, there are reportedly several methods
of bypassing authentication (CVE-2008-2405).

See also :

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=705
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=706
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=707
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=708
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=709
http://archives.neohapsis.com/archives/bugtraq/2008-06/0029.html
http://archives.neohapsis.com/archives/bugtraq/2008-06/0030.html
http://archives.neohapsis.com/archives/bugtraq/2008-06/0032.html
http://archives.neohapsis.com/archives/bugtraq/2008-06/0034.html
http://archives.neohapsis.com/archives/bugtraq/2008-06/0036.html
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1

Solution :

Upgrade to Sun Java System ASP version 4.0.3 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
<<


----
Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.
http://www.precisionweb.net

More information about the Blueonyx mailing list