mailing list archives
Another Frontpage Bug, with promiscuous ScriptAliases
From: pedward () WEBCOM COM (pedward () WEBCOM COM)
Date: Thu, 23 Apr 1998 18:35:34 -0700
The Apache hack that M$ distributes allows one to create ANY directory
on a Frontpage enabled web server, and execute content in it.
This also goes for the stock Netscape Server config that M$ recommends.
Hmm, I wonder if M$ deliberately places security holes in Unix apps so
that they can claim "but Frontpage under IIS doesn't have that hole!".
Mainly because IIS loads Frontpage as a DLL (I suppose). Frontpage
wouldn't be anywhere near the PIG it is if it ran as an Apache module
or NSAPI module...but then who has an extra 5 megs per server process
You want a rogue program to run, and the victim has anonymous uploadable
FTP (or you sign up for a service and you want to run binaries on the
server, but can't):
put [whatever bin]
Boom you've got stuff runnin on that server.
They configure the Netscape server the same way.
Unless you make a special NSAPI or Apache module, you're vulnerable
as a freshly born ewe of a cloned sheep named Dolly!
And why is this possible???
ScriptAlias "*/_vti_bin/*" /somedirpath
Custom NSAPI / Apache module:
NameTrans fn="prefix_fpdir" prefix_path="/somedir/cgi-bin/frontpage" name="cgi"
/somedir/cgi-bin/frontpage/cgi-wrapper [path to real binary]
Perry Harrington System Software Engineer zelur xuniL ()
http://www.webcom.com perry.harrington () webcom com Think Blue. /\