Another Frontpage Bug, with promiscuous ScriptAliases

[pedward () WEBCOM COM (pedward () WEBCOM COM)]

The Apache hack that M$ distributes allows one to create ANY directory
on a Frontpage enabled web server, and execute content in it.
This also goes for the stock Netscape Server config that M$ recommends.

Hmm, I wonder if M$ deliberately places security holes in Unix apps so
that they can claim "but Frontpage under IIS doesn't have that hole!".

Mainly because IIS loads Frontpage as a DLL (I suppose).  Frontpage
wouldn't be anywhere near the PIG it is if it ran as an Apache module
or NSAPI module...but then who has an extra 5 megs per server process
to burn???

EG:

You want a rogue program to run, and the victim has anonymous uploadable
FTP (or you sign up for a service and you want to run binaries on the
server, but can't):

mkdir _vti_bin
cd _vti_bin
put [whatever bin]

Web browser:

http://www.victim.com/somedirectorystructure/_vti_bin/trojanfile

Boom you've got stuff runnin on that server.

They configure the Netscape server the same way.

Unless you make a special NSAPI or Apache module, you're vulnerable
as a freshly born ewe of a cloned sheep named Dolly!

And why is this possible???

ScriptAlias "*/_vti_bin/*" /somedirpath

<Object ppath="*/_vti_bin/*">
...
</Object>


Solution:

Custom NSAPI / Apache module:

NameTrans fn="prefix_fpdir" prefix_path="/somedir/cgi-bin/frontpage" name="cgi"

Plus:

Custom Stub:

/somedir/cgi-bin/frontpage/cgi-wrapper [path to real binary]


--Perry

--
Perry Harrington        System Software Engineer    zelur xuniL  ()
http://www.webcom.com  perry.harrington () webcom com  Think Blue.  /\