httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject more on frontpage 98 security
Date Thu, 16 Oct 1997 03:00:06 GMT
Microsoft has put a page up at:

http://www.microsoft.com/frontpage/wpp/apache.htm

responding to the issue.

I find it funny that they say:

Attn: Apache web server administrators
               Microsoft has discovered a bug with the FrontPage 98
               Server Extensions on the UNIX Apache web server. Read all
               about the details and the fix. 

...of course MS discovered it.  They did, but their discovery was aided a
little bit me thinks.  Well, they do give appropriate credit (and even a
reference to my fp security hell web page, although for some reason they
don't use the title for the name of the link... <g>) on the actual page
they posted.

Aside from being unable to copy a URL (worldgate.com != worldgate.net even
though they both work fine) their response isn't too bogus.

I find:

               The discovery came about as a result
               of Microsoft proactively providing the source code to the
               fpexe program for review by the Internet community at
               large during the beta testing period of FrontPage 98.  The
               source code to the fixed version will also be available for
               review on the Microsoft FrontPage website at
               http://www.microsoft.com/frontpage/wpp/ once the fix is
               posted next week.

this funny.  Proactive security is publishing the source after release to
let people find gaping holes in it that could have been found (and I did
find them) in two seconds.  Funny, I had thought differently.  I must be
wrong.

No response (well, not that I can blame them... because there isn't
anything they can say) to their questionable code review, or lack thereof.



Mime
View raw message