From owner-freebsd-security Sat Oct 11 11:53:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA02286 for security-outgoing; Sat, 11 Oct 1997 11:53:14 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA02281 for ; Sat, 11 Oct 1997 11:53:08 -0700 (PDT) (envelope-from marcs@znep.com) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.7/8.8.7) with UUCP id MAA02582; Sat, 11 Oct 1997 12:52:55 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id MAA16102; Sat, 11 Oct 1997 12:56:54 -0600 (MDT) Date: Sat, 11 Oct 1997 12:56:54 -0600 (MDT) From: Marc Slemko To: Marc Slemko Subject: Huge security holes in Microsoft FP98 server extensions for Apache Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk [Copies sent to bugtraq, inet-access, freebsd-security, the Apache development mailing list, and the comp.infosystems.www.servers.unix and microsoft.public.frontpage.extensions.unix newsgroups.] Microsoft's FrontPage 98 server side extensions for Apache under Unix include a small setuid root program (fpexe) to allow the FrontPage CGIs to be run as the user who owns the pages as opposed to them all running as the user the web server runs as. This is necessary to get around gaping loopholes that occur when all FrontPage documents are owned by the user the web server runs as. There are, however, gaping holes in this fpexe program that make it easily exploitable to eventually gain root. This is only in the FrontPage 98 extensions and is only in the Apache version; it is completely unrelated to any Apache code and only occurs in the Apache version simply because that is the only version where this functionality is provided. Details are at http://www.worldgate.com/~marcs/fp/