Bugtraq mailing list archives

FrontPage + Apache + FreeBSD

From: omni () DYNMC NET (Gregory A. Carter)
Date: Mon, 22 Mar 1999 08:20:27 -0800


I've sent in a report for FrontPage extensions and their lack of security
and so far after about two weeks have yet to gain a reply.  I have
searched hours on end on multiple lists for a solution to this problem and
still have not found an answer so I have come to the conclusion that it is
a bug and am so forth posting on it to bugtraq in hopes that a solution
will be made.

We run apache web servers with FrontPage Extensions compiled in as a
module and have noticed that when using virtual hosts their is a huge
security issue.  When using the "ServerAlias" directive on a virtual
domain, the alias will work fine on the web, however if you try to open
FrontPage and use the aliases name (and "list webs") the extensions will
display the servers root web, not the virtual root web.  Usually this
wouldn't harm anything however I've found that if you try and open the
root web using the aliased domain it will use the aliased domain's
permissions and open the root web.

Here's an example:

http.conf

<VirtualHost domain.com>
[insert paths
 etc and extra
 options here]
ServerAlias www.domain.com
</VirtualHost>

Now... we install frontpage extensions for domain.com.

Next we open frontpage on our machine and point it to domain.com, open the
web which should work fine and add a user.  For our purposes I'll use
"testing" with the password of "fpsucks".  Close the frontpage web then
reopen only this time before we hit "list webs" use the domain
www.domain.com.  Now frontpage will return the server's root web instead
of the virtual root.  Select it and click ok to open and the u/p box will
appear.  Now usually this should be asking for the root web's username and
password and other webs permissions shouldn't work.  However we enter the
username of "testing" and the password of "fpsucks", low and behold it
opens the root web and allows the user the same permissions that the
virtual web had for it.

Nasty.  My apologies if I'm just ignorant but I serious haven't found ANY
articles about this and I've searched the third party software vendor that
Microsoft uses for FP extensions without a solutions.

Greg

+(Omni () Dynmc Net)------------------------------------------------------+
| Dynamic Networking Solutions                     InterX Technologies |
| Senior Network Administrator                bits/keyID 1024/7DF9C285 |
| omni () interx net omni () itstudio net omni () undernet org omni () webpop3 com |
+--------[  DC 50 57 59 C3 76 46 E8 EB 75 A8 94 FE 96 9E D3 ]----------+

Current thread:

X11R6 NetBSD Security Problem in.telnetd (Mar 21)
- Re: X11R6 NetBSD Security Problem in.telnetd (Mar 21)
  - Re: X11R6 NetBSD Security Problem Petras Sinkevicius (Mar 26)
- FrontPage + Apache + FreeBSD Gregory A. Carter (Mar 22)
  - ANNOUNCE: New Security Tool: HostSentry 0.02 Alpha Craig H. Rowland (Mar 25)
  - Re: FrontPage + Apache + FreeBSD Roberto Grassi (Mar 26)
    - Re: FrontPage + Apache + FreeBSD Gregory A. Carter (Mar 26)
- abuse of nickserv Nelson Little (Mar 23)
- Linux 2.2.3 patch to prevent FIN/NULL/XMAS scans Taral (Mar 24)
- not only NetBSD [was Re: X11R6 NetBSD Security Problem] Pavel Machek (Mar 26)
- Re: X11R6 NetBSD Security Problem Matthieu Herrb (Mar 26)
  - Re: X11R6 NetBSD Security Problem Kevin Vajk (Mar 28)
- wu-ftp 2.4.2 (release VR16) /bin/ftponly [ (Mar 27)
- SuSE Security Announcement - XFree86 Marc Heuse (Mar 28)

(Thread continues...)