Date: Fri, 29 Apr 2005 22:26:15 -0700 From: Joe Rhett <jrhett@meer.net> To: Scot Hetzel <swhetzel@gmail.com> Cc: Todd Reed <treed@astate.edu> Subject: Re: FreeBSD Port: frontpage-5.0.2.2623_1 Message-ID: <20050430052615.GA8066@meer.net> In-Reply-To: <790a9fff05042213306b502f1b@mail.gmail.com> References: <892CC2C451D0414B90159D10B5BDAA65AB2234@EXCHANGE.astate.edu> <20050207202417.GB37923@meer.net> <20050208004233.GA84236@xor.obsecurity.org> <790a9fff050208142045266974@mail.gmail.com> <20050224203342.GH49530@meer.net> <790a9fff05022414531dd27600@mail.gmail.com> <20050422183816.GB45992@meer.net> <790a9fff05042213306b502f1b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 22, 2005 at 03:30:06PM -0500, Scot Hetzel wrote: > The one difference that I know of between these two mod_frontpage > ports, is that Improved mod_frontpage checks to see if we have been > authenticated for the ADMIN and ADMINCGI urls. When I added these > checks to the RTR version (change FrontPageAlias to FrontPageNeedAuth > for the ADMIN and ADMINCGI checks in the mod_frontpage.c patches), the > mod_frontpage module was checking for authentication before the Apache > 2.0 server requested authentication. Actually, it's asking for authentication for things that apache doesn't ask for authentication on. This was broken by pathname changes in the rtr-compiled versions of frontpage. See my patches regarding this. > What other significant security enhancements does Improved mod_frontpage have? improved mod_frontpage has all of the security checks that are applied to CGIs. Last time I saw the rtr frontpage module, it was fairly easy to make it run things it shouldn't have if someone left directory permissions too loose. I haven't compared them side by side in a while, and perhaps I should do that before speaking further. -- Joe Rhett senior geek meer.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050430052615.GA8066>