Date: Tue, 28 Oct 1997 15:10:21 -0700 (MST) From: Marc Slemko <marcs@znep.com> To: Karl Denninger <karl@Mcs.Net> Cc: FreeBSD Ports <ports@FreeBSD.ORG>, FreeBSD ISP <isp@FreeBSD.ORG> Subject: Re: Apache FrontPage Module Port Completed Message-ID: <Pine.BSF.3.95.971028150030.17238E-100000@alive.znep.com> In-Reply-To: <19971028155143.46119@Mars.Mcs.Net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 28 Oct 1997, Karl Denninger wrote: > I STRONGLY recommend that NOBODY load a botch of this kind on ANYTHING. > > SUID root programs for file transfers should be confined to those which have > many YEARS of experience under their belts - like ftpd. There is absolutely > NO REASON that Microsoft could not support FTP transfers from Frontpage, and > if they did, this entire security fiasco would be moot. > > And yes, I've told Microsoft this -- for almost two years. > > They don't care, and until they do, I'm not risking my machines on their > no-source code. There is more to it than that. Yes, you can use FrontPage to upload files via ftp. If you don't use their special CGIs (erm... "bots" or whatever they call them), you can use FrontPage no problem without anything special installed on the server. The problem is their CGIs that implement "pretty" things for FP users. The problem with the extensions traditionally has been that they modify the server config files each time a new site is created, they all run as the same user letting anyone modify the content or the web server config files, you need seperate copies of their huge CGIs for each site even though they are the same, etc. With the FrontPage 98 extensions for Apache, they added a fpexe program and a patch to Apache to no longer require the changes to the config file and to let the CGIs run as the user who owns the web. fpexec is a setuid root program, similar to suexec, that changes UIDs to the user before running the CGIs. Yes, one of the CGIs allows users to upload their web site. The source to fpexe is available. In their first release they were absolute morons: http://www.worldgate.com/~marcs/fp/ They have since released a "fixed" version. It appears better, but I haven't yet had time to fully review it; they take care of the obvious things I pointed out in the first release anyway. There are still issues, and still may be gaping holes, but they are far less obvious. Since you have the source code to the only program they want you to make setuid root, you can judge the risk yourself like I did with the first release. The risk you are left open to is that if there is a hole in fpexe that you can't see when you review it then someone can possibly gain root. The other risk is that if there is a hole in their CGI scripts then someone can possibly gain access to the account of any user running them; this may or may not be an issue. You have to be careful to divide the security issues into the proper different zones of risk. One is instant root. Many people dislike that a lot. Another is the possibility of compromising user accounts. Many people dislike that, but to some it is less significant.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.971028150030.17238E-100000>