This is not a security issue. Hence why they did not respond to you. In your own example of a VirtualHost you listed domain.com and alias www.domain.com in the same hosting. In this instance why wouldnt FrontPage associate both domains as being in the SAME directory and location. Hence the username and password are stored in the same location. Are both working on the same ROOT WEB. you didnt setup any subwebs so you wouldnt see any of those. It would be considered a security issue if say www.somedomain.com opened with the user/pass of the one set for www.domain.com. But in this instance it would not be. Thanks Paul Schandel -----Original Message----- From: Gregory A. Carter [mailto:omniat_private] Sent: Monday, March 22, 1999 8:20 AM To: BUGTRAQat_private Subject: FrontPage + Apache + FreeBSD I've sent in a report for FrontPage extensions and their lack of security and so far after about two weeks have yet to gain a reply. I have searched hours on end on multiple lists for a solution to this problem and still have not found an answer so I have come to the conclusion that it is a bug and am so forth posting on it to bugtraq in hopes that a solution will be made. We run apache web servers with FrontPage Extensions compiled in as a module and have noticed that when using virtual hosts their is a huge security issue. When using the "ServerAlias" directive on a virtual domain, the alias will work fine on the web, however if you try to open FrontPage and use the aliases name (and "list webs") the extensions will display the servers root web, not the virtual root web. Usually this wouldn't harm anything however I've found that if you try and open the root web using the aliased domain it will use the aliased domain's permissions and open the root web. Here's an example: http.conf <VirtualHost domain.com> [insert paths etc and extra options here] ServerAlias www.domain.com </VirtualHost> Now... we install frontpage extensions for domain.com. Next we open frontpage on our machine and point it to domain.com, open the web which should work fine and add a user. For our purposes I'll use "testing" with the password of "fpsucks". Close the frontpage web then reopen only this time before we hit "list webs" use the domain www.domain.com. Now frontpage will return the server's root web instead of the virtual root. Select it and click ok to open and the u/p box will appear. Now usually this should be asking for the root web's username and password and other webs permissions shouldn't work. However we enter the username of "testing" and the password of "fpsucks", low and behold it opens the root web and allows the user the same permissions that the virtual web had for it. Nasty. My apologies if I'm just ignorant but I serious haven't found ANY articles about this and I've searched the third party software vendor that Microsoft uses for FP extensions without a solutions. Greg +(Omniat_private)------------------------------------------------------+ | Dynamic Networking Solutions InterX Technologies | | Senior Network Administrator bits/keyID 1024/7DF9C285 | | omniat_private omniat_private omniat_private omniat_private | +--------[ DC 50 57 59 C3 76 46 E8 EB 75 A8 94 FE 96 9E D3 ]----------+
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:40:20 PDT