From owner-freebsd-isp Mon Aug 27 7:36: 0 2001 Delivered-To: freebsd-isp@freebsd.org Received: from federation.addy.com (federation.addy.com [208.11.142.20]) by hub.freebsd.org (Postfix) with ESMTP id C6F1F37B407 for ; Mon, 27 Aug 2001 07:35:57 -0700 (PDT) (envelope-from jim@federation.addy.com) Received: from localhost (jim@localhost) by federation.addy.com (8.9.3/8.9.3) with ESMTP id KAA55991 for ; Mon, 27 Aug 2001 10:40:32 -0400 (EDT) (envelope-from jim@federation.addy.com) Date: Mon, 27 Aug 2001 10:40:32 -0400 (EDT) From: Jim Sander Cc: BSD-ISP Subject: Re: Frontpage Extensions - security and reliability assessment In-Reply-To: <3B8A4965.5484BA3B@buckhorn.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ditto what others have been saying. We've got a few hundred FP-enabled sites running on FreeBSD, and relatively few problems. Security-wise, there's no way to know for sure since the code isn't public, but we haven't seen any real problems since the early days. (knock on wood!) Common sense seems to be enough to keep a reasonably secure system. Users here also have FTP and shell access to their FP-enabled accounts, so it is pretty easy for them to clobber things that FP expects to see. That (usually) won't totally hose their site, and (again usually) a simple uninstall and reinstall of the extensions fixes the problem. We tell people that if they want to do "advanced" things, they're probably better off without the extensions since most of those capabilities are trivially duplicated via CGI scripts anyway. One problem missed is that lots of the functionality of the FP server extensions is controlled by the FP client. For instance FP97, and early versions of FP98, by default create more restrictive .htaccess files than later versions- specifically not allowing the POST method everywhere. This can confuse people who don't understand such things (the likely users of FP) if you're also allowing them to use their own scripts. We've also seen problems related to the way FP2K handles sub-webs compared to FP98. (now you're allowed to have nested subwebs) If customers use both versions of FP (or for a short time after they upgrade) it can be a bit strange until they republish their entire web and all the subwebs. If you're supporting a heterogenous environment is a bit of a pain, especially from the aspect of documentation- but mostly people have moved to FP2K now I think. (and we'll see what happens with 2002 I guess) Mostly it's a question of FP not "playing well with others" - if you stick to supporting only the built-in FP stuff, you're OK. When you try to mix in your own complex CGI functions it can get interesting sometimes. Still, with care it's definitely possible- it just takes some hacking. Then there's the issue of ASP support- which of course is nonexistant. So certain things like the "Save to Database" form component won't work. That's probably the biggest hurdle- explaining that having the FrontPage extensions doesn't necessarily enable ASP scripting. -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message