Date: Sat, 27 Nov 1999 16:14:31 +0100 (CET) From: Christian Kratzer <ck@toplink.net> To: "J.C. Frazier" <wolfman@csocs.com> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Problems with apache, frontpage, and vhosts Message-ID: <Pine.BSF.4.10.9911271612180.72119-100000@babylon.toplink.net> In-Reply-To: <383DF8DD.C22B381C@csocs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, frontpage 98 likes to write Options None into .htaccess files. I have not yet checked frontpage 2000. This forces one to leave AllowOverride Any on the document directories. We patched apache to allow an Options None even though everything else is forbidden by AllowOverride Auth ... etc... Else anybody can set Options ExecCGI in a document directory and proceeed with local system exploits.... Greetings Christian On Thu, 25 Nov 1999, J.C. Frazier wrote: > I am running FreeBSD 3.3-stable, apache+php+mod_ssl-1.3.9+3.0.12+2.4.8, > and frontpage extensions version 4.0 (not the module). It was set up > exactly as specified at www.freebsdzine.org in their FP article, if > you'd like full details on the setup. Two days ago this system was > broken into. Someone got in through frontpage and changed the account > password. After a lot of investigating and testing I found that my > vhosts listed in apache.conf aren't abiding by the default settings for > <Directory>'s in the file. Hence no overrides and my .htaccess files > are being ignored, leaving me wide open. I am running a mixed named/ip > based vhost system (8 named based hosts on one IP and 2 named based > hosts on another IP). Because my .htaccess files aren't being read, the > FP extensions aren't working correctly either. When a customer tries to > GET, POST, etc...it won't accept any passwords. My log files give no > clues to what is wrong other then a password mismatch on those > functions, even though the passwords have been checked and rechecked and > are correct. So for now I have uninstalled the frontpage extensions all > together temporarily because of the security implecations until I can > find out how to solve these problems. I've searched the mailing lists > and read the apache documentation site and can't find any other instance > of this type of incident happening or any corrective actions. I've > tried a few different versions of apache including 1.3.3 and 1.3.6-php, > both with the same results. frontpage extensions version 3.0 also gave > the same results. Any help or advice would be greatly appreciated. > Thank you for your time. > > J.C. Frazier > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > -- TopLink Internet Services GmbH ck@171.2.195.in-addr.arpa Christian Kratzer http://www.toplink.net/ Phone: +49 7032 2701-0 Fax: +49 7032 2701-19 FreeBSD spoken here! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9911271612180.72119-100000>