GlimpseHTTP security

A security hole in glimpseHTTP version 2.0 was discovered on July 2, 1997, and it looks like it is being actively exploited. Versions 1.x seem less vulnerable in general, but they are most likely also not secure.

We decided not to support glimpseHTTP any more, and instead we are recommending that all users of the glimpseHTTP package upgrade to the new WebGlimpse as soon as possible. WebGlimpse provides all the features of GlimpseHTTP and a whole lot more. We made significant effort to ensure the security of the new WebGlimpse (although we cannot guarantee absolute security, especially since almost everyone else seems to be vulnerable in one way or another).

Thanks to Stephane Bortzmeyer (bortzmeyeri, at pasteur.fr), who brought it first to our attention, and to CERT and AUSCERT for providing assistance.

To check whether attacks have been attempted at your server try

egrep -i 'aglimpse.*(\||IFS)' {WWW_HOME}/logs/access_log

Where {WWW_HOME} is the base directory for your web server.