Bugtraq mailing list archives
Followup to FP98 and other Frontpage bugs
From: pedward () WEBCOM COM (pedward () WEBCOM COM)
Date: Mon, 12 Oct 1998 11:22:38 -0700
Aleph,
I'm sending this because I've been getting quite a few kiddies emailing
me about the FP rant I did in April. This is just a followup on what's
outstanding, hopefully this'll get propagated to the sites which posted
the original message.
Thanks --Perry
This message is an FAQ I created because of the number of requests
I get regarding the FP98 bugs/holes.
Ok, the state of FP98 is this:
The current FP releases (1330 and post) fix the promiscuous permissions
problems with the password files and such.
AFAIK, the outstanding issues are these:
_vti_pvt directory: On a misconfigured webserver, this directory can be
read via /_vti_pvt in a website. This can still be read via an
FTP client, given the default permissions.
Fixes: * add a deny directive in the obj.conf under NS, or use a
mod_redirect or similar under Apache.
* Make sure that the permissions on the _vti_pvt directory
are somewhat sane.
There is a problem with this: shtml.exe must read the password
files as the user of the webserver. So, either you create
a wrapper which does a setuid(owner of web) before invoking
any FP extensions, or you set the permissions strictly and
run as root.
_vti_cnf directory: This is a privacy issue. If you access an FP web
with /_vti_cnf, you will get a shadow directory listing of all the files
in that current directory. It the meta info FP keeps about every file
it has under control; think of it as a CVS directory in a checked out
tree.
Fixes: add a deny directive for */_vti_cnf/* in NS or Apache.
There still exists one more privacy hole with Frontpage, and that is the ability
to list all the subwebs in a web, without needing a password. This is achieved
via pointing Frontpage at a web, it'll come back with a list of subwebs. Possible
solutions to this are to simply add the shtml.exe extension under password protection
like the rest of the extensions, however the FP client may not cope with this correctly.
So, here is the status of Frontpage and it's (in)security.
I'm not in the business of providing script kiddies with plug-n-play hacks for
Frontpage, so you'll have to do your own footwork.
<End of FAQ>
--
Perry Harrington System Software Engineer zelur xuniL ()
http://www.webcom.com perry.harrington () webcom com Think Blue. /\
Current thread:
- Re: More Rconsole stuff, (continued)
- Re: More Rconsole stuff Randy Richardson (Oct 12)
- Referer (was Patches for wwwboard.pl) Michael Blythe (Oct 09)
- MacAttack Spikeman (Oct 08)
- Referer (was Patches for wwwboard.pl) Lincoln Stein (Oct 09)
- Re: Referer (was Patches for wwwboard.pl) David Schwartz (Oct 12)
- Re: Referer (was Patches for wwwboard.pl) Lincoln Stein (Oct 13)
- Re: Referer (was Patches for wwwboard.pl) Kevin Littlejohn (Oct 13)
- CERT Vendor-Initiated Bulletin VB-98.10 - sco.mscreen Aleph One (Oct 13)
- FreeBSD Security Advisory: FreeBSD-SA-98:07.rst Aleph One (Oct 13)
- Re: Referer (was Patches for wwwboard.pl) Adam Shostack (Oct 10)
- Followup to FP98 and other Frontpage bugs pedward () WEBCOM COM (Oct 12)
- pcnfsd ... ga (Oct 13)
- Re: pcnfsd ... Mark Zielinski (Oct 14)
- Re: Followup to FP98 and other Frontpage bugs Markus Stumpf (Oct 13)
- The poisoned NUL byte Olaf Kirch (Oct 14)
- Security Bulletins Digest (fwd) Piotr Strzy¿ewski (Oct 12)