> I've sent in a report for FrontPage extensions and their lack of security > and so far after about two weeks have yet to gain a reply. I have > searched hours on end on multiple lists for a solution to this problem and > still have not found an answer so I have come to the conclusion that it is > a bug and am so forth posting on it to bugtraq in hopes that a solution > will be made. > > We run apache web servers with FrontPage Extensions compiled in as a > module and have noticed that when using virtual hosts their is a huge > security issue. When using the "ServerAlias" directive on a virtual > domain, the alias will work fine on the web, however if you try to open > FrontPage and use the aliases name (and "list webs") the extensions will > display the servers root web, not the virtual root web. Usually this > wouldn't harm anything however I've found that if you try and open the > root web using the aliased domain it will use the aliased domain's > permissions and open the root web. > > Here's an example: > > http.conf > > <VirtualHost domain.com> > [insert paths > etc and extra > options here] > ServerAlias www.domain.com > </VirtualHost> And if you don't use ServerAlias directive? It happen again? We have configured Apache with FP98 extension on our FreeBSD but it doesn't appear to suffer the problem you expose. I gatered FP98 extension informations from http://www.rtr.com/fpsupport/discuss.htm > Now... we install frontpage extensions for domain.com. > > Next we open frontpage on our machine and point it to domain.com, open the > web which should work fine and add a user. For our purposes I'll use > "testing" with the password of "fpsucks". Close the frontpage web then > reopen only this time before we hit "list webs" use the domain > www.domain.com. Now frontpage will return the server's root web instead > of the virtual root. Select it and click ok to open and the u/p box will > appear. Now usually this should be asking for the root web's username and > password and other webs permissions shouldn't work. However we enter the > username of "testing" and the password of "fpsucks", low and behold it > opens the root web and allows the user the same permissions that the > virtual web had for it. > > Nasty. My apologies if I'm just ignorant but I serious haven't found ANY > articles about this and I've searched the third party software vendor that > Microsoft uses for FP extensions without a solutions. > > Greg > > +(Omniat_private)------------------------------------------------------+ > | Dynamic Networking Solutions InterX Technologies | > | Senior Network Administrator bits/keyID 1024/7DF9C285 | > | omniat_private omniat_private omniat_private omniat_private | > +--------[ DC 50 57 59 C3 76 46 E8 EB 75 A8 94 FE 96 9E D3 ]----------+ > However I still have many doubts on Front Page security and functionality. Grassi Roberto NET1 S.r.l. System & Network Administrator via S.Cristoforo, 44 e-mail: roberto@net-one.it 21047 Saronno (VA) - ITALY
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:40:11 PDT