Re: FrontPage + Apache + FreeBSD

[paulsc () TECHWAVE COM (Paul Schandel)]

This is not a security issue.  Hence why they did not respond to you.

In your own example of a VirtualHost you listed domain.com and alias
www.domain.com in the same hosting.

In this instance why wouldnt FrontPage associate both domains as being in
the SAME directory and location.  Hence the username and password are stored
in the same location.  Are both working on the same ROOT WEB.  you didnt
setup any subwebs so you wouldnt see any of those.  It would be considered a
security issue if say www.somedomain.com opened with the user/pass of the
one set for www.domain.com.  But in this instance it would not be.

Thanks
Paul Schandel

-----Original Message-----
From: Gregory A. Carter [mailto:omni () DYNMC NET]
Sent: Monday, March 22, 1999 8:20 AM
To: BUGTRAQ () NETSPACE ORG
Subject: FrontPage + Apache + FreeBSD


I've sent in a report for FrontPage extensions and their lack of security
and so far after about two weeks have yet to gain a reply.  I have
searched hours on end on multiple lists for a solution to this problem and
still have not found an answer so I have come to the conclusion that it is
a bug and am so forth posting on it to bugtraq in hopes that a solution
will be made.

We run apache web servers with FrontPage Extensions compiled in as a
module and have noticed that when using virtual hosts their is a huge
security issue.  When using the "ServerAlias" directive on a virtual
domain, the alias will work fine on the web, however if you try to open
FrontPage and use the aliases name (and "list webs") the extensions will
display the servers root web, not the virtual root web.  Usually this
wouldn't harm anything however I've found that if you try and open the
root web using the aliased domain it will use the aliased domain's
permissions and open the root web.

Here's an example:

http.conf

<VirtualHost domain.com>
[insert paths
 etc and extra
 options here]
ServerAlias www.domain.com
</VirtualHost>

Now... we install frontpage extensions for domain.com.

Next we open frontpage on our machine and point it to domain.com, open the
web which should work fine and add a user.  For our purposes I'll use
"testing" with the password of "fpsucks".  Close the frontpage web then
reopen only this time before we hit "list webs" use the domain
www.domain.com.  Now frontpage will return the server's root web instead
of the virtual root.  Select it and click ok to open and the u/p box will
appear.  Now usually this should be asking for the root web's username and
password and other webs permissions shouldn't work.  However we enter the
username of "testing" and the password of "fpsucks", low and behold it
opens the root web and allows the user the same permissions that the
virtual web had for it.

Nasty.  My apologies if I'm just ignorant but I serious haven't found ANY
articles about this and I've searched the third party software vendor that
Microsoft uses for FP extensions without a solutions.

Greg

+(Omni () Dynmc Net)------------------------------------------------------+
| Dynamic Networking Solutions                     InterX Technologies |
| Senior Network Administrator                bits/keyID 1024/7DF9C285 |
| omni () interx net omni () itstudio net omni () undernet org omni () webpop3 com |
+--------[  DC 50 57 59 C3 76 46 E8 EB 75 A8 94 FE 96 9E D3 ]----------+