Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 23 Oct 1998 08:00:00 -0700 (PDT)
From:      Marc Slemko <marcs@znep.com>
To:        "Alan B. Clegg" <abc@cyclue.bsdi.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: FrontPage Server Extensions 
Message-ID:  <Pine.BSF.4.03.9810230754220.20832-100000@alive.znep.com>
In-Reply-To: <19981023125400.14169.qmail@cyclue.bsdi.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, 23 Oct 1998, Alan B. Clegg wrote:

>  [.. snippage ..]
> 
> > Regardless, I certainly am not overly willing to put much trust in
> > programs written by the same people that wrote the horrible monstrosity
> > that the original fpexe.c was.
> 
> And you run sendmail perhaps?
> 
> Just because a previous version was bad does not PROVE that the newer ones
> are still bad.

Erm... it doesn't prove they are bad (and I never said or implied that it
did), but it sure as heck is a pretty damn big black mark against thiking
that they are good.

Here are the facts:

If there is any hole in the FrontPage CGI scripts, then someone can
compromise any account that is setup to use it.

The fpexe program, which did have source available, was obviously written
by someone who had absolutely no concept of or thought for security.

I don't have the source for the FrontPage CGI scripts, but they come in
the same package as the fpexe monstrosity.

Therefore, you have to work on the assumption that the FrontPage CGI
scripts probably have numerous security holes in them.

Regardless of what you may think, people and companies don't magically
change overnight from producing code without a "security clue" in the
world to producing secure code.  If you don't think past problems matter
then go right ahead and do whatever you want.  I, however, do think that
past problems matter a heck of a lot, especially in this situation due to
the nature of the problems.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.03.9810230754220.20832-100000>