Re: Frontpage extensions under Apache 1.3.4

[frankm () BEND OR US (Frank Miller)]

Marc/Nathan and other bugtraq folk,

I utilized fp-patch_apache.1.3.0. It performed changes to httpd.h,
httpd_request.c, util.c and of course dumped mod_frontpage.c.

Ya'll are correct in that the actual extentions/CGI's are not avaialable.
Sorry for the net misunderstanding!

I should know better than to send e-mail public in the wee, wee hours of the
morn after staying up for a few days working ;}.

Frank

> -----Original Message-----
> From: Neulinger, Nathan R. [mailto:nneul () umr edu]
> Sent: Tuesday, February 23, 1999 9:20 AM
> To: 'Frank Miller'; BUGTRAQ () netspace org
> Subject: RE: Frontpage extensions under Apache 1.3.4
>
>
> The only thing you get source to is the setuid portion and the
> apache patch.
> What good does that do you? You still have to trust everything that the
> setuid routine runs... (i.e. the frontpage executable itself)
>
> I have managed to get frontpage installed in a chrooted
> environment. This is
> about the only way I'd even vaguely consider installing it. I
> have it set up
> for virtual hosted customers (at a local isp) that have chosen to
> _only_ use
> frontpage. They either get regular access to a normal virtual
> host, or they
> get a frontpage host.
>
> -- Nathan
>
> ------------------------------------------------------------
> Nathan Neulinger                       EMail:  nneul () umr edu
> University of Missouri - Rolla         Phone: (573) 341-4841
> Computing Services                       Fax: (573) 341-4216
>
> > -----Original Message-----
> > From: Frank Miller [mailto:frankm () BEND OR US]
> > Sent: Monday, February 22, 1999 1:36 PM
> > To: BUGTRAQ () netspace org
> > Subject: Re: Frontpage extensions under Apache 1.3.4
> >
> >
> > Source is available for Apache FP extentions up to Apache
> > 1.3.*.  Have not
> > performed an audit
> > of the source.  I have suceeded with minimal munging to apply
> > the patch to
> > Apache 1.3.4.
> >
> > They are rather well hidden on the Microsoft FrontPage admin
> > web site ;].
> >
> > Frank
> >
> > > -----Original Message-----
> > > From: Bugtraq List [mailto:BUGTRAQ () netspace org]On Behalf
> > Of Alan Brown
> > > Sent: Sunday, February 21, 1999 7:16 PM
> > > To: BUGTRAQ () netspace org
> > > Subject: Re: Frontpage extensions under Apache 1.3.4
> > >
> > >
> > > On Fri, 19 Feb 1999, Sitzkrieg Redundus wrote:
> > >
> > > > I spent the bulk my time a few days back convincing the
> > Frontpage 98
> > > > extensions and Apache 1.3.4 (patched with patch version
> > 3.0.4.3) to play
> > > > nicely. After banging my head against it for a few hours, I got
> > > things to
> > > > what I thought was a workable point, and fired up httpd. And
> > > got an error
> > > > back about there being a syntax error on line 1 of /dev/null.
> > >
> > > Has anyone properly audited the current Front Page
> > extensions for any
> > > Apache server? My understanding is that these are available soley as
> > > binary/object files and inspection of source is impossible.
> > >
> > > I'd love to know if this has changed, as we refuse to install FP
> > > extensions because for all we know they may be swiss cheese.
> > >
> > > Many other apache server admins will have taken the same position.
> > >
> > > AB