Date: Thu, 22 Oct 1998 18:25:50 -0700 (PDT) From: Marc Slemko <marcs@znep.com> To: "Dan Seafeldt, AZ.COM System Administrator" <yankee@az.com> Cc: Paul Hart <hart@iserver.com>, Deepwell Internet <freebsd@deepwell.com>, freebsd-security@FreeBSD.ORG Subject: Re: FrontPage Server Extensions Message-ID: <Pine.BSF.4.03.9810221821210.20832-100000@alive.znep.com> In-Reply-To: <Pine.BSF.3.91.981022142612.8131B-100000@gate.az.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 22 Oct 1998, Dan Seafeldt, AZ.COM System Administrator wrote: > > Regarding your comments about the dangers of using Frontpage 98 extension > modified apache server, and the home page you mentioned: > > > http://users.worldgate.com/~marcs/fp > > > Short of user to user content security problems, according to this page > the primary root exploit is: > > 1. discover key file using, among other things, ps because frontpage passes > key using environment variables > 2. key file allows (like the httpd daemon can) user to invoke fpexe, a SUID > 3. with key, you can also tell fpexe to execute a /tmp/nasty as the user bin > 4. the bin priveledged program replaces/modifies a well known bin owned prog > 5. next time root (cron) runs that well know program ... well you know > the rest... > > The problem that I see with this security flaw theory is: Read the page a bit more closely, and look at MS's release dates. The reason the security checks are in the current version is due to my complaints. They essentially went through and added the things I complained they didn't have, plus it looks like they copied the checking that Apache's suexec does. This is no "security flaw theory". It is hard evidence of how braindead and boneheaded the extensions were when that page was written. The current version does not have the flaws described on that page, but does have the ones (some of them somewhat fundamental to what it is trying to do, some implementation messups) that I briefly described earlier to the list. Regardless, I certainly am not overly willing to put much trust in programs written by the same people that wrote the horrible monstrosity that the original fpexe.c was. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.03.9810221821210.20832-100000>