Full Disclosure mailing list archives

Re: Frontpage Extensions Remote Command Execution

From: Damian Gerow <damian () sentex net>
Date: Wed, 12 Nov 2003 14:53:02 -0500

Thus spake mattmurphy () kc rr com (mattmurphy () kc rr com) [12/11/03 14:41]:

bulletin.  A decent admin would configure FPSE such that this flaw is a
non-issue.  This is because no ordinary user has a reason to be accessing
FPSE's files.  If FPSE is secured, this means that an attacker is getting
their own privileges back.


A decent OS shouldn't need the admin to go in and modify permissions on
specific files in order to give a ensure a basic security requirement.
While an ordinary user may have no reason to access those files, an ordinary
admin should similarily have no reason for modifying the permissions on
those files.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Frontpage Extensions Remote Command Execution Brett Moore (Nov 12)
- RE: Frontpage Extensions Remote Command Execution Geo. (Nov 12)
- <Possible follow-ups>
- RE: Frontpage Extensions Remote Command Execution mattmurphy () kc rr com (Nov 12)
  - RE: Frontpage Extensions Remote Command Execution Geo. (Nov 12)
  - Re: Frontpage Extensions Remote Command Execution Damian Gerow (Nov 12)
    - Re: Frontpage Extensions Remote Command Execution Paul Schmehl (Nov 12)
    - Re: Frontpage Extensions Remote Command Execution Damian Gerow (Nov 12)
    - Re: Frontpage Extensions Remote Command Execution Ricky Blaikie (Nov 12)
- RE: Frontpage Extensions Remote Command Execution mattmurphy () kc rr com (Nov 12)
  - Re: Frontpage Extensions Remote Command Execution Geoincidents (Nov 12)
- RE: Frontpage Extensions Remote Command Execution Nick Jacobsen (Nov 12)
  - Re[2]: Frontpage Extensions Remote Command Execution Adik (Nov 13)
- RE: Frontpage Extensions Remote Command Execution Marc Maiffret (Nov 13)