[techtalk] MS Frontpage Extensions?
Jillian-Beth Stamos-Kaschke
jbsk at metis.de
Wed May 2 11:19:00 EST 2001
Hi Kath,
On Mon, Apr 30, 2001 at 04:04:32PM -0400, Kath wrote:
> How secure actually is Microsoft FP Extensions? I had my co-admin install it on the server so it is easier for him or others to update via Frontpage 2000, but I'm worried about the security ramifications. I mean, I don't want to end up on attrition.org with a picture of someones grandma replacing my website (or worse).
Oh dear. I've just had to install FP extensions on the
Web server at work for precisely this reason (it being
"easier" for others to use FP when updating their Web pages),
but instead of using Microsoft's Apache patch I used one by
Christof Pohl which enables the use of suexec. As requests to
CGIs on users' pages (which includes the HTTP POST commands used
by FP extensions when communicating with the Web server) will
subsequently be run as the the documents' owners themselves,
rather than under the Web server's ID, this *should* protect your
stuff. We have the FP extensions installed on a separate server,
though, just in case :)
> I've heard stories, but I was wondering about pure facts on FP security.
If you use FP extensions without suexec, then you're asking
for trouble; at least that was the general opinion here. Ask
Google for "'Frontpage extensions' security and Linux" for more
information. There was an article in Sys Admin magazine last
year which is unfortunately not online, but I'll check at home
to see if I still have it; if so, I can provide you with a
synopsis if you want. Before I started out, I rootled around
to find out whether the FP code itself could be used to compromise
a system in any way, but had no luck, so if you find anything on
that, I'd be very grateful.
Something that just occurred to me: you're using FP extensions
on a UNIX/Linux server, right? If not, then try looking in the
Bugtraq archives for January of this year, there was something
about insecurities in FP extensions for NT/Win200 servers.
For more on suexec:
http://httpd.apache.org/docs/suexec.html
For more on improved mod_frontpage:
http://home.edo.uni-dortmund.de/~chripo/
Don't forget to check put the discussion forums on Christof Pohl's
website, they can be extremely useful if you run into problems (she
said, speaking from experience :)
Jillian.
More information about the Techtalk
mailing list