From owner-freebsd-security  Fri Oct 23 08:07:09 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA07609
          for freebsd-security-outgoing; Fri, 23 Oct 1998 08:07:09 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA07602
          for <freebsd-security@FreeBSD.ORG>; Fri, 23 Oct 1998 08:07:07 -0700 (PDT)
          (envelope-from marcs@znep.com)
Received: from znep.com (uucp@localhost)
	by scanner.worldgate.com (8.9.1a/8.9.1) with UUCP id JAA13041;
	Fri, 23 Oct 1998 09:05:15 -0600 (MDT)
Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with ESMTP id IAA13971; Fri, 23 Oct 1998 08:00:00 -0700 (PDT)
Date: Fri, 23 Oct 1998 08:00:00 -0700 (PDT)
From: Marc Slemko <marcs@znep.com>
To: "Alan B. Clegg" <abc@cyclue.bsdi.com>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: FrontPage Server Extensions 
In-Reply-To: <19981023125400.14169.qmail@cyclue.bsdi.com>
Message-ID: <Pine.BSF.4.03.9810230754220.20832-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 23 Oct 1998, Alan B. Clegg wrote:

>  [.. snippage ..]
> 
> > Regardless, I certainly am not overly willing to put much trust in
> > programs written by the same people that wrote the horrible monstrosity
> > that the original fpexe.c was.
> 
> And you run sendmail perhaps?
> 
> Just because a previous version was bad does not PROVE that the newer ones
> are still bad.

Erm... it doesn't prove they are bad (and I never said or implied that it
did), but it sure as heck is a pretty damn big black mark against thiking
that they are good.

Here are the facts:

If there is any hole in the FrontPage CGI scripts, then someone can
compromise any account that is setup to use it.

The fpexe program, which did have source available, was obviously written
by someone who had absolutely no concept of or thought for security.

I don't have the source for the FrontPage CGI scripts, but they come in
the same package as the fpexe monstrosity.

Therefore, you have to work on the assumption that the FrontPage CGI
scripts probably have numerous security holes in them.

Regardless of what you may think, people and companies don't magically
change overnight from producing code without a "security clue" in the
world to producing secure code.  If you don't think past problems matter
then go right ahead and do whatever you want.  I, however, do think that
past problems matter a heck of a lot, especially in this situation due to
the nature of the problems.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message