Date: Thu, 22 Oct 1998 11:33:55 -0700 (PDT) From: Marc Slemko <marcs@znep.com> To: Manuel Bouyer <bouyer@antioche.lip6.fr> Cc: freebsd-security@FreeBSD.ORG Subject: Re: FrontPage Server Extensions Message-ID: <Pine.BSF.4.03.9810221130390.20832-100000@alive.znep.com> In-Reply-To: <19981022190135.02835@antioche.lip6.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 22 Oct 1998, Manuel Bouyer wrote: > On Oct 22, john wrote > > Does anyone know of any glaring security wholes on a FreeBSD > > system (we're currently at 2.2.6-Stable) that has the Microsoft > > FrontPage Server Extensions installed? I've heard it wreaks > > havoc on ownership/permissions of some files. Any ideas/comments > > are welcome. > > > > Also, the last time I looked at it, it needed to be suid root (or at > last some parts). I don't trust microsoft enouth. You have source to the part that is setuid. Originally, when they first came out with the setuid bit, it give anyone almost instant root. Now it is better. There are no obvious insecurities in the wrapper. The issues now revolve around their installation procedure and ensuring everything is properly configured, plus the very poor manner in which it uses and requires configuration, and the fact that if there are holes in the CGI scripts that they do run as the user (and holes are likely) then you can compromise that user's account. If you can compromise an arbitrary user's account, you can get root on the vast majority of boxes. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.03.9810221130390.20832-100000>