Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

Security Concern related to embedded Apache

9 posts in General Discussion Last posting was on 2006-04-06 02:15:33.0Z
Pedro Mendoza Posted on 2006-03-01 02:19:39.0Z
Sender: 579b.4405032a.1804289383@sybase.com
From: Pedro Mendoza
Newsgroups: ianywhere.public.mbusinessanywhere.general
Subject: Security Concern related to embedded Apache
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <440504bb.57ad.1681692777@sybase.com>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 28 Feb 2006 18:19:39 -0800
X-Trace: forums-1-dub 1141179579 10.22.241.41 (28 Feb 2006 18:19:39 -0800)
X-Original-Trace: 28 Feb 2006 18:19:39 -0800, 10.22.241.41
Lines: 20
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.mbusinessanywhere.general:728
Article PK: 9040

Hi my enterprise security team detected a security
vulnerability in the server where i have mBussines Server
installed. The vulnerability is related to the embedded
Apache server.
Is there a way to upgrade the embedded Apache server to a
newer Apache version?

Regards!

Here are the details:
mBussiness Version:
Web Edition Pro Version 5.5 b128 Windows

Vulnerability detected:
Description The version of the Apache web service running on
this system appears to be vulnerable to a directory
traversal attack. A potential intruder could abuse this to
view any file on the system.

Solution: Update to Apache 2.0.40 or later.


Enrico Pallazzo Posted on 2006-03-01 15:19:42.0Z
From: "Enrico Pallazzo" <enricopallazzo@myway.com>
Newsgroups: ianywhere.public.mbusinessanywhere.general
References: <440504bb.57ad.1681692777@sybase.com>
Subject: Re: Security Concern related to embedded Apache
Lines: 27
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
NNTP-Posting-Host: vpn-dub-094.sybase.com
X-Original-NNTP-Posting-Host: vpn-dub-094.sybase.com
Message-ID: <4405bb8e$1@forums-1-dub>
Date: 1 Mar 2006 07:19:42 -0800
X-Trace: forums-1-dub 1141226382 10.22.120.94 (1 Mar 2006 07:19:42 -0800)
X-Original-Trace: 1 Mar 2006 07:19:42 -0800, vpn-dub-094.sybase.com
X-Authenticated-User: techsupp
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.mbusinessanywhere.general:729
Article PK: 9036

No, but the sync server rejects anything that is not a sync request. I doubt
it is vulnerable.

<Pedro Mendoza> wrote in message news:440504bb.57ad.1681692777@sybase.com...
> Hi my enterprise security team detected a security
> vulnerability in the server where i have mBussines Server
> installed. The vulnerability is related to the embedded
> Apache server.
> Is there a way to upgrade the embedded Apache server to a
> newer Apache version?
>
> Regards!
>
> Here are the details:
> mBussiness Version:
> Web Edition Pro Version 5.5 b128 Windows
>
> Vulnerability detected:
> Description The version of the Apache web service running on
> this system appears to be vulnerable to a directory
> traversal attack. A potential intruder could abuse this to
> view any file on the system.
>
> Solution: Update to Apache 2.0.40 or later.


Pedro Mendoza Posted on 2006-03-01 18:48:58.0Z
Sender: 7d3c.4405dce5.1804289383@sybase.com
From: Pedro Mendoza
Newsgroups: ianywhere.public.mbusinessanywhere.general
Subject: Re: Security Concern related to embedded Apache
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4405dd1a.7d42.1681692777@sybase.com>
References: <4405bb8e$1@forums-1-dub>
X-Original-NNTP-Posting-Host: 10.22.241.42
X-Original-Trace: 1 Mar 2006 09:42:50 -0800, 10.22.241.42
Lines: 36
X-Original-NNTP-Posting-Host: forums-2-dub.sybase.com
X-Original-Trace: 1 Mar 2006 09:42:53 -0800, forums-2-dub.sybase.com
NNTP-Posting-Host: forums-master.sybase.com
X-Original-NNTP-Posting-Host: forums-master.sybase.com
Date: 1 Mar 2006 10:48:58 -0800
X-Trace: forums-1-dub 1141238938 10.22.108.75 (1 Mar 2006 10:48:58 -0800)
X-Original-Trace: 1 Mar 2006 10:48:58 -0800, forums-master.sybase.com
X-Authenticated-User: ngsysop
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.mbusinessanywhere.general:730
Article PK: 9039

According with technical note
(http://www.ianywhere.com/developer/technotes/mb_test_web_docs.html)
"The Apache server hosts the administration of the
M-Business Server and provides a transportation layer for
communicating with clients."

So, because the mBusiness adminsitration interface is using
Apache the attack could be possible.

> No, but the sync server rejects anything that is not a
> sync request. I doubt it is vulnerable.
>
> <Pedro Mendoza> wrote in message
> > news:440504bb.57ad.1681692777@sybase.com... Hi my
> > enterprise security team detected a security
> > vulnerability in the server where i have mBussines
> Server installed. The vulnerability is related to the
> > embedded Apache server.
> > Is there a way to upgrade the embedded Apache server to
> > a newer Apache version?
> >
> > Regards!
> >
> > Here are the details:
> > mBussiness Version:
> > Web Edition Pro Version 5.5 b128 Windows
> >
> > Vulnerability detected:
> > Description The version of the Apache web service
> > running on this system appears to be vulnerable to a
> > directory traversal attack. A potential intruder could
> > abuse this to view any file on the system.
> >
> > Solution: Update to Apache 2.0.40 or later.
>
>


Greg Fenton Posted on 2006-03-01 20:57:18.0Z
From: Greg Fenton <greg.fenton_NOSPAM_@ianywhere.com>
Organization: iAnywhere Solutions Inc.
User-Agent: Mozilla Thunderbird 1.6.3.2f (Windows/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Newsgroups: ianywhere.public.mbusinessanywhere.general
Subject: Re: Security Concern related to embedded Apache
References: <4405bb8e$1@forums-1-dub> <4405dd1a.7d42.1681692777@sybase.com>
In-Reply-To: <4405dd1a.7d42.1681692777@sybase.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Original-NNTP-Posting-Host: cpe00096b10fe8a-cm000f212f9e50.cpe.net.cable.rogers.com
Message-ID: <4405fb30@forums-2-dub>
X-Original-Trace: 1 Mar 2006 11:51:12 -0800, cpe00096b10fe8a-cm000f212f9e50.cpe.net.cable.rogers.com
Lines: 18
X-Original-NNTP-Posting-Host: forums-2-dub.sybase.com
X-Original-Trace: 1 Mar 2006 11:51:13 -0800, forums-2-dub.sybase.com
NNTP-Posting-Host: forums-master.sybase.com
X-Original-NNTP-Posting-Host: forums-master.sybase.com
Date: 1 Mar 2006 12:57:18 -0800
X-Trace: forums-1-dub 1141246638 10.22.108.75 (1 Mar 2006 12:57:18 -0800)
X-Original-Trace: 1 Mar 2006 12:57:18 -0800, forums-master.sybase.com
X-Authenticated-User: ngsysop
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.mbusinessanywhere.general:731
Article PK: 17775


Pedro Mendoza wrote:
>
> So, because the mBusiness adminsitration interface is using
> Apache the attack could be possible.

Yes, but the vast majority of mBA customers (all?) do not expose the
admin server outside of their intranet.

Is that an option for you?

greg.fenton
--
Greg Fenton
Consultant, Solution Services, iAnywhere Solutions
--------
Visit the iAnywhere Solutions Developer Community
Whitepapers, TechDocs, Downloads
http://www.ianywhere.com/developer/


Greg Fenton Posted on 2006-03-02 04:12:55.0Z
From: Greg Fenton <greg.fenton_NOSPAM_@ianywhere.com>
Organization: iAnywhere Solutions Inc.
User-Agent: Mozilla Thunderbird 1.6.3.2f (Windows/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Newsgroups: ianywhere.public.mbusinessanywhere.general
Subject: Re: Security Concern related to embedded Apache
References: <4405fb30@forums-2-dub> <44066644.6805.1681692777@sybase.com>
In-Reply-To: <44066644.6805.1681692777@sybase.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: cpe00096b10fe8a-cm000f212f9e50.cpe.net.cable.rogers.com
X-Original-NNTP-Posting-Host: cpe00096b10fe8a-cm000f212f9e50.cpe.net.cable.rogers.com
Message-ID: <440670c7$1@forums-1-dub>
Date: 1 Mar 2006 20:12:55 -0800
X-Trace: forums-1-dub 1141272775 24.43.194.135 (1 Mar 2006 20:12:55 -0800)
X-Original-Trace: 1 Mar 2006 20:12:55 -0800, cpe00096b10fe8a-cm000f212f9e50.cpe.net.cable.rogers.com
Lines: 17
X-Authenticated-User: techsupp
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.mbusinessanywhere.general:733
Article PK: 17776


Pedro Mendoza wrote:
> In this case i have the mBA in a DMZ because the Sales Force
> is on the road.

There are two servers we are talking about here: the sync server and the
admin server. Having the sync server in the DMZ makes sense, but having
the admin server accessible from outside of your intranet most likely
does not.

greg.fenton
--
Greg Fenton
Consultant, Solution Services, iAnywhere Solutions
--------
Visit the iAnywhere Solutions Developer Community
Whitepapers, TechDocs, Downloads
http://www.ianywhere.com/developer/