mailing list archives
Followup to FP98 and other Frontpage bugs
From: pedward () WEBCOM COM (pedward () WEBCOM COM)
Date: Mon, 12 Oct 1998 11:22:38 -0700
I'm sending this because I've been getting quite a few kiddies emailing
me about the FP rant I did in April. This is just a followup on what's
outstanding, hopefully this'll get propagated to the sites which posted
the original message.
This message is an FAQ I created because of the number of requests
I get regarding the FP98 bugs/holes.
Ok, the state of FP98 is this:
The current FP releases (1330 and post) fix the promiscuous permissions
problems with the password files and such.
AFAIK, the outstanding issues are these:
_vti_pvt directory: On a misconfigured webserver, this directory can be
read via /_vti_pvt in a website. This can still be read via an
FTP client, given the default permissions.
Fixes: * add a deny directive in the obj.conf under NS, or use a
mod_redirect or similar under Apache.
* Make sure that the permissions on the _vti_pvt directory
are somewhat sane.
There is a problem with this: shtml.exe must read the password
files as the user of the webserver. So, either you create
a wrapper which does a setuid(owner of web) before invoking
any FP extensions, or you set the permissions strictly and
run as root.
_vti_cnf directory: This is a privacy issue. If you access an FP web
with /_vti_cnf, you will get a shadow directory listing of all the files
in that current directory. It the meta info FP keeps about every file
it has under control; think of it as a CVS directory in a checked out
Fixes: add a deny directive for */_vti_cnf/* in NS or Apache.
There still exists one more privacy hole with Frontpage, and that is the ability
to list all the subwebs in a web, without needing a password. This is achieved
via pointing Frontpage at a web, it'll come back with a list of subwebs. Possible
solutions to this are to simply add the shtml.exe extension under password protection
like the rest of the extensions, however the FP client may not cope with this correctly.
So, here is the status of Frontpage and it's (in)security.
I'm not in the business of providing script kiddies with plug-n-play hacks for
Frontpage, so you'll have to do your own footwork.
<End of FAQ>
Perry Harrington System Software Engineer zelur xuniL ()
http://www.webcom.com perry.harrington () webcom com Think Blue. /\
DU 4.0D cdfs bug : xcd eject CDROM, even mounted. Alexis POLOZOV (Oct 09)