Bugtraq mailing list archives

New FrontPage98 Server Extensions Release (fwd)

From: marcs () ZNEP COM (Marc Slemko)
Date: Fri, 20 Mar 1998 11:48:00 -0700


Anyone using the FrontPage extensions on a Unix system should note the
couple of possible security issues in the below forwared message and be
sure that they do not cause problems in your environment.

I have not looked at the issues at all, I am just forwarding a note that
RTR sent to their mailing list.

---------- Forwarded message ----------
Date: Fri, 20 Mar 1998 10:45:33 -0500
From: RTR Webmaster <webmaster () pudding rtr com>
Subject: New FrontPage98 Server Extensions Release

Please note that there is a new release of the FrontPage98 Server Extensions
for UNIX.  It includes:

        1.  Server-Side Script Security

                Combining server-side scripting code on a web page
                along with a FrontPage component (formerly "WebBot
                component") would allow an end-user to view the
                actual script if they view the source of the resulting
                page. Also, a user knowledgeable about the Server
                Extensions could exploit this behavior to view script
                source by passing the page to the browse-time Server
                Extensions EXE, SHTML.EXE.

        2.  Symbolic Links

                If a user with telnet access to their content directory
                created symbolic links within this directory, the FrontPage
                Explorer and the FrontPage Server Administrator
                (fpsrvadm.exe) would  follow the symbolic links and
                therefore could potentially make unwanted changes to
                the linked files.

        3.  Updated fpcount.exe

                Until the update, this executable could potentially
                cause a browse-time hang.

        4.  Discussion Webs

                A Discussion Web issue where sorting messages in
                reverse chronological order did not work.

        5.  NORTBOTS.HTM with Disk-based webs

                An issue specific to disk-based webs that are published
                to a FrontPage-extended Web server where activating
                FrontPage components may result in a "HTTP/1.0 404
                Object not found" error.


Also included in this release is Apache-fp 1.2.5.

To obtain more information concerning this release please check
http://www.rtr.com/fpsupport/1330update_UNIX.htm and to download
them http://www.rtr.com/fpsupport/download.htm.


<html>
More Information
To Download
</html>

Current thread:

LinCity Buffer Overflow T. Freak (Mar 16)
- Re: LinCity Buffer Overflow Bob Tracy - TDS (Mar 16)
- BSD/OS 3.0 config_anonftp script trey (Mar 16)
  - bug in su (Slackware 3.4) Peter van Dijk (Mar 15)
    - Re: bug in su (Slackware 3.4) Martin Schulze (Mar 22)
    - Re: bug in su (Slackware 3.4) Martin Schulze (Mar 22)
  - Re: BSD/OS 3.0 config_anonftp script Bill Becker (Mar 18)
  - ncftp 2.4.2 MkDirs bug Michal Zalewski (Mar 19)
    - Re: ncftp 2.4.2 MkDirs bug Theo Van Dinter (Mar 20)
    - New FrontPage98 Server Extensions Release (fwd) Marc Slemko (Mar 20)
  - Ascend Kill Thomas Michaux (Mar 20)
- <Possible follow-ups>
- Re: Lincity Buffer Overflow bst () INAME COM (Mar 17)