httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject zdnet on frontpage 98 hole
Date Wed, 22 Oct 1997 04:20:39 GMT
http://www1.zdnet.com/uk/news/ns-3014.html :

   However, as of 10am Tuesday, October 21, Microsoft still hadn't
   managed to fix another security bug in the FrontPage 98 Server
   Extensions on Unix systems running the Apache Web server. Apache is a
   dominant leader in Web servers.              
                                                 
I think "managed to fix" is the right word.  Unfortunately, I sure hope
they don't follow the suexec model because I would have to whine about it.
<sigh>  suexec is designed around the idea that it is safe for anyone to
be able to run any binary in "webspace" as the user.  That isn't
necessarily true when uploading things.  They do have a tricky problem to
solve, but what they did before...   Not sure if this is properly
reflected in the suexec docs or not.
                     
   Discovered and highlighted on a page called Microsoft FrontPage 98
   Security Hell, the issue is described as "a gaping hole" in security.
   On October 11, Microsoft responded with a note on its Web site four
   days later and is promising a "re-release" of the Server Extensions
   will be posted this week at http://www.microsoft.com/frontpage/wpp/. 
                                                                        
   On the Security Hell site, Webmaster Marc Slemko is damning of     

Wow, I'm a webmaster.  Or is every dweeb that writes a web page a
Webmaster?  

   Microsoft. "It is no secret that the security of the FrontPage 97 and
   earlier Unix server extensions is quite poor," he writes. "However, a 
   closer examination reveals startling flaws ... the gaping holes in 
   this program show a complete lack of understanding of security in the
   Unix environment."                                                  

I'm quite suprised that zd got the point.  I didn't think I was being
blunt enough for them.  <g>


Mime
View raw message