Re: FrontPage + Apache + FreeBSD

[roberto () NET-ONE IT (Roberto Grassi)]

> I've sent in a report for FrontPage extensions and their lack of security
> and so far after about two weeks have yet to gain a reply.  I have
> searched hours on end on multiple lists for a solution to this problem and
> still have not found an answer so I have come to the conclusion that it is
> a bug and am so forth posting on it to bugtraq in hopes that a solution
> will be made.
>
> We run apache web servers with FrontPage Extensions compiled in as a
> module and have noticed that when using virtual hosts their is a huge
> security issue.  When using the "ServerAlias" directive on a virtual
> domain, the alias will work fine on the web, however if you try to open
> FrontPage and use the aliases name (and "list webs") the extensions will
> display the servers root web, not the virtual root web.  Usually this
> wouldn't harm anything however I've found that if you try and open the
> root web using the aliased domain it will use the aliased domain's
> permissions and open the root web.
>
> Here's an example:
>
> http.conf
>
> <VirtualHost domain.com>
> [insert paths
>  etc and extra
>  options here]
> ServerAlias www.domain.com
> </VirtualHost>

And if you don't use ServerAlias directive? It happen again?
We have configured Apache with FP98 extension on our FreeBSD but
it doesn't appear to suffer the problem you expose.
I gatered FP98 extension informations from
        http://www.rtr.com/fpsupport/discuss.htm

> Now... we install frontpage extensions for domain.com.
>
> Next we open frontpage on our machine and point it to domain.com, open the
> web which should work fine and add a user.  For our purposes I'll use
> "testing" with the password of "fpsucks".  Close the frontpage web then
> reopen only this time before we hit "list webs" use the domain
> www.domain.com.  Now frontpage will return the server's root web instead
> of the virtual root.  Select it and click ok to open and the u/p box will
> appear.  Now usually this should be asking for the root web's username and
> password and other webs permissions shouldn't work.  However we enter the
> username of "testing" and the password of "fpsucks", low and behold it
> opens the root web and allows the user the same permissions that the
> virtual web had for it.
>
> Nasty.  My apologies if I'm just ignorant but I serious haven't found ANY
> articles about this and I've searched the third party software vendor that
> Microsoft uses for FP extensions without a solutions.
>
> Greg
>
> +(Omni () Dynmc Net)------------------------------------------------------+
> | Dynamic Networking Solutions                     InterX Technologies |
> | Senior Network Administrator                bits/keyID 1024/7DF9C285 |
> | omni () interx net omni () itstudio net omni () undernet org omni () webpop3 com |
> +--------[  DC 50 57 59 C3 76 46 E8 EB 75 A8 94 FE 96 9E D3 ]----------+

However I still have many doubts on Front Page security and functionality.



Grassi Roberto                             NET1 S.r.l.
System & Network Administrator             via S.Cristoforo, 44
e-mail: roberto () net-one it                 21047 Saronno (VA) - ITALY