Followup to FP98 and other Frontpage bugs

From: pedwardat_private
Date: Mon Oct 12 1998 - 11:22:38 PDT

Next message: Miguel de Icaza: "Re: [rootat_private: ]"

Previous message: Piotr Strzyżewski: "Security Bulletins Digest (fwd)"
Next in thread: Markus Stumpf: "Re: Followup to FP98 and other Frontpage bugs"
Reply: Markus Stumpf: "Re: Followup to FP98 and other Frontpage bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Aleph,

 I'm sending this because I've been getting quite a few kiddies emailing
me about the FP rant I did in April.  This is just a followup on what's
outstanding, hopefully this'll get propagated to the sites which posted
the original message.

        Thanks --Perry

This message is an FAQ I created because of the number of requests
I get regarding the FP98 bugs/holes.

Ok, the state of FP98 is this:

 The current FP releases (1330 and post) fix the promiscuous permissions
problems with the password files and such.

AFAIK, the outstanding issues are these:

_vti_pvt directory:  On a misconfigured webserver, this directory can be
        read via /_vti_pvt in a website.  This can still be read via an
        FTP client, given the default permissions.

        Fixes:  * add a deny directive in the obj.conf under NS, or use a
                        mod_redirect or similar under Apache.

                * Make sure that the permissions on the _vti_pvt directory
                        are somewhat sane.

                There is a problem with this: shtml.exe must read the password
                files as the user of the webserver.  So, either you create
                a wrapper which does a setuid(owner of web) before invoking
                any FP extensions, or you set the permissions strictly and
                run as root.

_vti_cnf directory:  This is a privacy issue.  If you access an FP web
        with /_vti_cnf, you will get a shadow directory listing of all the files
        in that current directory.  It the meta info FP keeps about every file
        it has under control; think of it as a CVS directory in a checked out
        tree.

        Fixes:  add a deny directive for */_vti_cnf/* in NS or Apache.

There still exists one more privacy hole with Frontpage, and that is the ability
to list all the subwebs in a web, without needing a password.  This is achieved
via pointing Frontpage at a web, it'll come back with a list of subwebs.  Possible
solutions to this are to simply add the shtml.exe extension under password protection
like the rest of the extensions, however the FP client may not cope with this correctly.

So, here is the status of Frontpage and it's (in)security.

I'm not in the business of providing script kiddies with plug-n-play hacks for
Frontpage, so you'll have to do your own footwork.

<End of FAQ>

--
Perry Harrington        System Software Engineer    zelur xuniL  ()
http://www.webcom.com  perry.harringtonat_private  Think Blue.  /\

Next message: Miguel de Icaza: "Re: [rootat_private: ]"
Previous message: Piotr Strzyżewski: "Security Bulletins Digest (fwd)"
Next in thread: Markus Stumpf: "Re: Followup to FP98 and other Frontpage bugs"
Reply: Markus Stumpf: "Re: Followup to FP98 and other Frontpage bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:18 PDT