Date: Sun, 3 Jan 1999 18:10:34 +1300 From: Joe Abley <jabley@clear.co.nz> To: Barrett Richardson <terbart@aye.net> Cc: Erick Baum <cc@gvn.net>, freebsd-current@FreeBSD.ORG, jabley@clear.co.nz Subject: Re: FrontPage Extensions Message-ID: <19990103181034.A5354@clear.co.nz> In-Reply-To: <Pine.BSF.3.96.990102214534.15431A-100000@phoenix.aye.net>; from Barrett Richardson on Sat, Jan 02, 1999 at 10:29:35PM -0500 References: <002001be369c$239ad3e0$098a3fd1@ws1.gvn.net> <Pine.BSF.3.96.990102214534.15431A-100000@phoenix.aye.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 02, 1999 at 10:29:35PM -0500, Barrett Richardson wrote: > > On Sat, 2 Jan 1999, Erick Baum wrote: > > > I've seen some previous posts about the FrontPage Extensions for FreeBSD > > opening up some major security holes. Can someone tell me what kind of > > security issues they are? > > > > Also, I have been having trouble getting the extensions to work on FreeBSD > > 2.2.6. Does anyone know if there is something special I have to do? > > > > Any input is appreciated. Thanks. > > > > -Erick > > > > I was digging thru the frontpage module and discovered that it wants > a geteuid() == 0 before it will launch any of the cgi's that will > do glorious things for your users. The cgi's end up running on > behalf of a user, but the mechanism (as much of it as I understand) > that makes that happen leaves opportunity for problems. The module > checks the ownership of a "webroot" directory (appears to be the > document root from the little I've seen thus far) and compares > it to the ownership of /_vti_pvt and sees if they match. If they > do, environment variables FPUID and FPGID are set to the uid and > gid of these directories. > > [snip] Check out Zeus Technology at http://www.zeus.co.uk/ - they have an extremely fast and nice web server (with binaries available for FreeBSD 2.2.x) and incorporate their own FrontPage hosting without needing a lot (all?) of the nasty Microsoft bloat. We use it for our professional hosting product, which includes FrontPage support. It is very good. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990103181034.A5354>