The Apache hack that M$ distributes allows one to create ANY directory on a Frontpage enabled web server, and execute content in it. This also goes for the stock Netscape Server config that M$ recommends. Hmm, I wonder if M$ deliberately places security holes in Unix apps so that they can claim "but Frontpage under IIS doesn't have that hole!". Mainly because IIS loads Frontpage as a DLL (I suppose). Frontpage wouldn't be anywhere near the PIG it is if it ran as an Apache module or NSAPI module...but then who has an extra 5 megs per server process to burn??? EG: You want a rogue program to run, and the victim has anonymous uploadable FTP (or you sign up for a service and you want to run binaries on the server, but can't): mkdir _vti_bin cd _vti_bin put [whatever bin] Web browser: http://www.victim.com/somedirectorystructure/_vti_bin/trojanfile Boom you've got stuff runnin on that server. They configure the Netscape server the same way. Unless you make a special NSAPI or Apache module, you're vulnerable as a freshly born ewe of a cloned sheep named Dolly! And why is this possible??? ScriptAlias "*/_vti_bin/*" /somedirpath <Object ppath="*/_vti_bin/*"> ... </Object> Solution: Custom NSAPI / Apache module: NameTrans fn="prefix_fpdir" prefix_path="/somedir/cgi-bin/frontpage" name="cgi" Plus: Custom Stub: /somedir/cgi-bin/frontpage/cgi-wrapper [path to real binary] --Perry -- Perry Harrington System Software Engineer zelur xuniL () http://www.webcom.com perry.harringtonat_private Think Blue. /\
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:04 PDT