Re: FrontPage + Apache + FreeBSD

From: Gregory A. Carter (omniat_private)
Date: Fri Mar 26 1999 - 14:44:21 PST

Next message: The ADM Crew: "Re: ADM w0rm"

Previous message: aleph1at_private: "Microsoft Security Bulletin (MS99-010)"
Maybe in reply to: Gregory A. Carter: "FrontPage + Apache + FreeBSD"
Next in thread: Paul Schandel: "Re: FrontPage + Apache + FreeBSD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 26 Mar 1999, Paul Schandel wrote:

 . This is not a security issue.  Hence why they did not respond to you.
 .
 . In your own example of a VirtualHost you listed domain.com and alias
 . www.domain.com in the same hosting.
 .
 . In this instance why wouldnt FrontPage associate both domains as being in
 . the SAME directory and location.  Hence the username and password are stored
 . in the same location.  Are both working on the same ROOT WEB.  you didnt
 . setup any subwebs so you wouldnt see any of those.  It would be considered a
 . security issue if say www.somedomain.com opened with the user/pass of the
 . one set for www.domain.com.  But in this instance it would not be.


No this is not correct, when I'm going to www.domain.com... instead of the
server pointing me at the root web of the virtual hosted site it brings me
to the root web of the whole server.  Sub webs have nothing to do with it.
I wouldn't care about the problem at all accept for the fact the when it
directs FrontPage Explorer to the main root web instead it also uses the
VIRTUAL WEBS permissions.  Hence as in my case I added a user to the
virtual web and pointed my web site to www.domain.com (the virtual web
alias), it brought up the MAIN web for the whole server but allowed me
access with the virtual webs permissions.  This is *definatly* a bug on
M$'s side here.  The extensions to at the LEAST recognize the
"ServerAlias" directive in apache and either #1 Go to the right web or #2
deny access to the main root web of the whole server with the virtual webs
usernames and passwords.

Try it out you'll see what I mean.  I was quite surprised when I added a
u/p so a customer could edit their virtual web site and having them call
up and mention that they had access to our main web site that's not
virtualy hosted because they entered "www.domain.com" instead of
"domain.com" in the list webs box.

Greg

+(Omniat_private)------------------------------------------------------+
| Dynamic Networking Solutions                     InterX Technologies |
| Senior Network Administrator                bits/keyID 1024/7DF9C285 |
| omniat_private omniat_private omniat_private omniat_private |
+--------[  DC 50 57 59 C3 76 46 E8 EB 75 A8 94 FE 96 9E D3 ]----------+

Next message: The ADM Crew: "Re: ADM w0rm"
Previous message: aleph1at_private: "Microsoft Security Bulletin (MS99-010)"
Maybe in reply to: Gregory A. Carter: "FrontPage + Apache + FreeBSD"
Next in thread: Paul Schandel: "Re: FrontPage + Apache + FreeBSD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:40:40 PDT