Aleph, I'm sending this because I've been getting quite a few kiddies emailing me about the FP rant I did in April. This is just a followup on what's outstanding, hopefully this'll get propagated to the sites which posted the original message. Thanks --Perry This message is an FAQ I created because of the number of requests I get regarding the FP98 bugs/holes. Ok, the state of FP98 is this: The current FP releases (1330 and post) fix the promiscuous permissions problems with the password files and such. AFAIK, the outstanding issues are these: _vti_pvt directory: On a misconfigured webserver, this directory can be read via /_vti_pvt in a website. This can still be read via an FTP client, given the default permissions. Fixes: * add a deny directive in the obj.conf under NS, or use a mod_redirect or similar under Apache. * Make sure that the permissions on the _vti_pvt directory are somewhat sane. There is a problem with this: shtml.exe must read the password files as the user of the webserver. So, either you create a wrapper which does a setuid(owner of web) before invoking any FP extensions, or you set the permissions strictly and run as root. _vti_cnf directory: This is a privacy issue. If you access an FP web with /_vti_cnf, you will get a shadow directory listing of all the files in that current directory. It the meta info FP keeps about every file it has under control; think of it as a CVS directory in a checked out tree. Fixes: add a deny directive for */_vti_cnf/* in NS or Apache. There still exists one more privacy hole with Frontpage, and that is the ability to list all the subwebs in a web, without needing a password. This is achieved via pointing Frontpage at a web, it'll come back with a list of subwebs. Possible solutions to this are to simply add the shtml.exe extension under password protection like the rest of the extensions, however the FP client may not cope with this correctly. So, here is the status of Frontpage and it's (in)security. I'm not in the business of providing script kiddies with plug-n-play hacks for Frontpage, so you'll have to do your own footwork. <End of FAQ> -- Perry Harrington System Software Engineer zelur xuniL () http://www.webcom.com perry.harringtonat_private Think Blue. /\
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:18 PDT