From owner-freebsd-security  Thu Oct 22 11:34:17 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA06131
          for freebsd-security-outgoing; Thu, 22 Oct 1998 11:34:17 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA06122
          for <freebsd-security@FreeBSD.ORG>; Thu, 22 Oct 1998 11:34:13 -0700 (PDT)
          (envelope-from marcs@znep.com)
Received: from znep.com (uucp@localhost)
	by scanner.worldgate.com (8.9.1a/8.9.1) with UUCP id MAA03335;
	Thu, 22 Oct 1998 12:33:35 -0600 (MDT)
Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with ESMTP id LAA10537; Thu, 22 Oct 1998 11:33:55 -0700 (PDT)
Date: Thu, 22 Oct 1998 11:33:55 -0700 (PDT)
From: Marc Slemko <marcs@znep.com>
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: FrontPage Server Extensions
In-Reply-To: <19981022190135.02835@antioche.lip6.fr>
Message-ID: <Pine.BSF.4.03.9810221130390.20832-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 22 Oct 1998, Manuel Bouyer wrote:

> On Oct 22, john wrote
> > Does anyone know of any glaring security wholes on a FreeBSD
> > system (we're currently at 2.2.6-Stable) that has the Microsoft
> > FrontPage Server Extensions installed?  I've heard it wreaks 
> > havoc on ownership/permissions of some files.  Any ideas/comments
> > are welcome.
> > 
> 
> Also, the last time I looked at it, it needed to be suid root (or at
> last some parts). I don't trust microsoft enouth.

You have source to the part that is setuid.

Originally, when they first came out with the setuid bit, it give anyone
almost instant root.

Now it is better.  There are no obvious insecurities in the wrapper.  The
issues now revolve around their installation procedure and ensuring
everything is properly configured, plus the very poor manner in which it
uses and requires configuration, and the fact that if there are holes in
the CGI scripts that they do run as the user (and holes are likely) then
you can compromise that user's account.  If you can compromise an
arbitrary user's account, you can get root on the vast majority of boxes.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message