Bugtraq mailing list archives
Re: FrontPage + Apache + FreeBSD
From: roberto () NET-ONE IT (Roberto Grassi)
Date: Fri, 26 Mar 1999 16:32:07 +0100
I've sent in a report for FrontPage extensions and their lack of security and so far after about two weeks have yet to gain a reply. I have searched hours on end on multiple lists for a solution to this problem and still have not found an answer so I have come to the conclusion that it is a bug and am so forth posting on it to bugtraq in hopes that a solution will be made. We run apache web servers with FrontPage Extensions compiled in as a module and have noticed that when using virtual hosts their is a huge security issue. When using the "ServerAlias" directive on a virtual domain, the alias will work fine on the web, however if you try to open FrontPage and use the aliases name (and "list webs") the extensions will display the servers root web, not the virtual root web. Usually this wouldn't harm anything however I've found that if you try and open the root web using the aliased domain it will use the aliased domain's permissions and open the root web. Here's an example: http.conf <VirtualHost domain.com> [insert paths etc and extra options here] ServerAlias www.domain.com </VirtualHost>
And if you don't use ServerAlias directive? It happen again? We have configured Apache with FP98 extension on our FreeBSD but it doesn't appear to suffer the problem you expose. I gatered FP98 extension informations from http://www.rtr.com/fpsupport/discuss.htm
Now... we install frontpage extensions for domain.com. Next we open frontpage on our machine and point it to domain.com, open the web which should work fine and add a user. For our purposes I'll use "testing" with the password of "fpsucks". Close the frontpage web then reopen only this time before we hit "list webs" use the domain www.domain.com. Now frontpage will return the server's root web instead of the virtual root. Select it and click ok to open and the u/p box will appear. Now usually this should be asking for the root web's username and password and other webs permissions shouldn't work. However we enter the username of "testing" and the password of "fpsucks", low and behold it opens the root web and allows the user the same permissions that the virtual web had for it. Nasty. My apologies if I'm just ignorant but I serious haven't found ANY articles about this and I've searched the third party software vendor that Microsoft uses for FP extensions without a solutions. Greg +(Omni () Dynmc Net)------------------------------------------------------+ | Dynamic Networking Solutions InterX Technologies | | Senior Network Administrator bits/keyID 1024/7DF9C285 | | omni () interx net omni () itstudio net omni () undernet org omni () webpop3 com | +--------[ DC 50 57 59 C3 76 46 E8 EB 75 A8 94 FE 96 9E D3 ]----------+
However I still have many doubts on Front Page security and functionality. Grassi Roberto NET1 S.r.l. System & Network Administrator via S.Cristoforo, 44 e-mail: roberto () net-one it 21047 Saronno (VA) - ITALY
Current thread:
- X11R6 NetBSD Security Problem in.telnetd (Mar 21)
- Re: X11R6 NetBSD Security Problem in.telnetd (Mar 21)
- Re: X11R6 NetBSD Security Problem Petras Sinkevicius (Mar 26)
- FrontPage + Apache + FreeBSD Gregory A. Carter (Mar 22)
- ANNOUNCE: New Security Tool: HostSentry 0.02 Alpha Craig H. Rowland (Mar 25)
- Re: FrontPage + Apache + FreeBSD Roberto Grassi (Mar 26)
- Re: FrontPage + Apache + FreeBSD Gregory A. Carter (Mar 26)
- abuse of nickserv Nelson Little (Mar 23)
- Linux 2.2.3 patch to prevent FIN/NULL/XMAS scans Taral (Mar 24)
- not only NetBSD [was Re: X11R6 NetBSD Security Problem] Pavel Machek (Mar 26)
- Re: X11R6 NetBSD Security Problem Matthieu Herrb (Mar 26)
- Re: X11R6 NetBSD Security Problem Kevin Vajk (Mar 28)
- wu-ftp 2.4.2 (release VR16) /bin/ftponly [ (Mar 27)
- SuSE Security Announcement - XFree86 Marc Heuse (Mar 28)
- <Possible follow-ups>
- Re: X11R6 NetBSD Security Problem /usr/libexec/telnetd (Mar 25)
- Re: X11R6 NetBSD Security Problem in.telnetd (Mar 21)