Anyone using the FrontPage extensions on a Unix system should note the couple of possible security issues in the below forwared message and be sure that they do not cause problems in your environment. I have not looked at the issues at all, I am just forwarding a note that RTR sent to their mailing list. ---------- Forwarded message ---------- Date: Fri, 20 Mar 1998 10:45:33 -0500 From: RTR Webmaster <webmasterat_private> Subject: New FrontPage98 Server Extensions Release Please note that there is a new release of the FrontPage98 Server Extensions for UNIX. It includes: 1. Server-Side Script Security Combining server-side scripting code on a web page along with a FrontPage component (formerly "WebBot component") would allow an end-user to view the actual script if they view the source of the resulting page. Also, a user knowledgeable about the Server Extensions could exploit this behavior to view script source by passing the page to the browse-time Server Extensions EXE, SHTML.EXE. 2. Symbolic Links If a user with telnet access to their content directory created symbolic links within this directory, the FrontPage Explorer and the FrontPage Server Administrator (fpsrvadm.exe) would follow the symbolic links and therefore could potentially make unwanted changes to the linked files. 3. Updated fpcount.exe Until the update, this executable could potentially cause a browse-time hang. 4. Discussion Webs A Discussion Web issue where sorting messages in reverse chronological order did not work. 5. NORTBOTS.HTM with Disk-based webs An issue specific to disk-based webs that are published to a FrontPage-extended Web server where activating FrontPage components may result in a "HTTP/1.0 404 Object not found" error. Also included in this release is Apache-fp 1.2.5. To obtain more information concerning this release please check http://www.rtr.com/fpsupport/1330update_UNIX.htm and to download them http://www.rtr.com/fpsupport/download.htm. <html> <a href=http://www.rtr.com/fpsupport/1330update_UNIX.htm>More Information</a> <a href=http://www.rtr.com/fpsupport/download.htm>To Download</a> </html>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:46:32 PDT