General
cancel
Showing results for 
Search instead for 
Did you mean: 

Security concerns about MS Frontpage extensions

Wodisch
Honored Contributor

Security concerns about MS Frontpage extensions

Hello all,

I am concerned about installing (or not) the MS Frontpage extensions onto a linux-based web-server (Apache, of course, but still 1.3.x - not 2.0.x).

What problems, weaknesses, pitfalls, exploits do you know to argue AGAINST it?
Which tips & tricks & workarounds do you know to USE it?

I'll try to summarize as much as possible, most likely in about 10 days (so tell me, wether you want *some* points right now, or - perhaps - more points later :-)

Thanks a lot,
Wodisch
2 REPLIES
Wodisch
Honored Contributor

Re: Security concerns about MS Frontpage extensions

Sorry for posting this twice - like most of us I had a lot of problems with the forums' responses... :-(
Would you please answer on the other post:
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x202ec7f6c54cd61190010090279cd0f9,00.html

Thanks a lot,
Wodisch
Santosh Nair_1
Honored Contributor

Re: Security concerns about MS Frontpage extensions

I've actually installed the FP extension for Apache on a HP machine. It seems to work quite transparently. Basically the install script dumps a bunch of files in directories under DocumentRoot with names like _vti_bin, _vti_cnf, etc. It uses HTML and CGI utilities to do its work and the .htaccess method for security, with passwords and groups stored in /_vti_pvt/service.pwd and _vti_pvt/service.grp respectively.

There are no special deamons that are running on the system. I haven't tried to break the CGI scripts (executables) yet, but if anywhere, that would your weakest security link.

Hope this helps

-Santosh
Life is what's happening while you're busy making other plans