[Wolves] The rimming of Peter Oliver continues...

Aquarius wolves at mailman.lug.org.uk
Tue Sep 23 10:22:01 2003


Chris Procter spoo'd forth:
>> Soon I'll convince people that since we're
>>Apache on some boxen anyway that I should write code in something other
>>than ASP, and then the Day of the Aq begins...
> 
> You have ASP running on Apache? Is this some Sun/Chilisoft thing or have I
> misread that entirely? How did you persuade them to change over?

http://www.opensa.org/

You need the 1.x version, but, yes, it runs ASP. There are a few
unimportant things it doesn't do (Request.ClientConnected, that sort of
thing) and two very big caveats. Very Big Caveat no 1: it only runs on
Windows. This is because it doesn't do VBS/JS work itself, it just
wraps the MS scripting DLLs. Very Big Caveat no 2: it doesn't do SSI.
This is a big problem for ASPs, as you can imagine, since all your code
includes won't work. However, you can just copy the code inline and
that'll work; obviously this isn't suitable for a big complicated
application, but it'll work fine for small things.

Further ideas on this: 
Firstly, can anyone out there get cscript.exe and wscript.exe to run on
Linux using Wine? If they could, then it would be pretty easy to port
the OpenSA activescripting stuff to Linux Apache, and, pow, working ASP
on Linux (although using the MS scripting engines with Wine). This'd
break as soon as you did Server.CreateObject, since you wouldn't have a
COM object to create, but frankly you'd only need to emulate
Scripting.Dictionary, ADODB.*, and MSXML.*, and you'd cover 90% of ASP
applications in a heartbeat.

Secondly, my firm, at my instigation, offered to pay Daniel
Reichenbach, the lead (well, pretty much only) OpenSA developer to hack
SSI into the ASP code, but after agreeing to do it he went all quiet
and isn't responding to my emails about it :( So, is there anyone
around who is OK with C in a Windows environment? I can't imagine that
it's very difficult to do SSI stuff, and I'll only ask for 
<!-- #include file -->, which makes it even easier. That way, although
we won't be getting people off Windows, we might get them off IIS,
which'd stop Code Red and so on -- imagine, a drop in replacement for
IIS with mod_rewrite and no vulnerabilities! I can't understand why the
guy won't hack this in...especially after we offered to pay :(

Thirdly, you can't get Apache 1.x to do the SSI for you and then pass
the SSIed code to mod_asp. You *can* get Apache 2.x to do this, but
OpenSA 2.x (based on Apache 2.x) doesn't include the ASP code! I asked
Dan Reichenbach why, and he said that he was working on some ASP.NET
thing and mod_asp would need loads of changes to fit into 2.x. Sigh.

Fourthly, I persuaded the firm by saying, look, IIS crashes more than
Apache, Apache is more powerful than IIS, and Apache is the industry
standard; a *lot* more people are using it than all competitors put
together, according to Netcraft.

Aq.

-- 
x^n + y^n = z^n where n > 2: no solutions
I have a wonderful proof of this but I can't write it now because my
train is coming.
	   -- Graffito on New York subway