Date: Wed, 29 Oct 1997 10:23:01 -0500 (EST) From: Hetzels@aol.com To: marcs@znep.com, freebsd-ports@hub.freebsd.org Subject: Re: ports/4878: Apache w/FrontPage Module Port Message-ID: <971029102300_1311894685@mrin42.mail.aol.com>
next in thread | raw e-mail | index | archive | help
In a message dated 97-10-28 17:02:47 EST, marcs@znep.com writes: > I have said this before and I will say this again: this is a damn big > security hole and must not be done. If you install this port, anyone can > get root on the system you install it on without any effort. This is not > acceptable. > > Microsoft includes patches for Apache and a program called fpexe for this > very reason. While I don't particularily recommend them (although the new > fixed version seems reasonable; haven't had time to look at it fully yet > though), they are a _LOT_ better than giving everyone instant root on the > server. > This port uses the FrontPage Module & the fpexe program. When I looked through the code both the Module & fpexe look at the uid & gid, if the uid is < 11 or gid < 21 then the call is rejected. Also, the program checks if what is being called is admin.exe, author.exe, shtml.exe or fpcount.exe, if it is not one of these programs then the call is also rejected. Where is the security hole? Scot
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?971029102300_1311894685>