Simpler Navigation for Servers and Operating Systems - Please Update Your Bookmarks
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
If you have bookmarked forums or discussion boards in Servers and Operating Systems, we suggest you check and update them as needed.
General
cancel
Showing results for 
Search instead for 
Did you mean: 

Security concerns about MS Frontpage extensions

Wodisch
Honored Contributor

Security concerns about MS Frontpage extensions

Hello all,

I am concerned about installing (or not) the MS Frontpage extensions onto a linux-based web-server (Apache, of course, but still 1.3.x - not 2.0.x).

What problems, weaknesses, pitfalls, exploits do you know to argue AGAINST it?
Which tips & tricks & workarounds do you know to USE it?

I'll try to summarize as much as possible, most likely in about 10 days (so tell me, wether you want *some* points right now, or - perhaps - more points later :-)

Thanks a lot,
Wodisch
2 REPLIES
Wodisch
Honored Contributor

Re: Security concerns about MS Frontpage extensions

Sorry for posting this twice - like most of us I had a lot of problems with the forums' responses... :-(
Would you please answer on the other post:
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x202ec7f6c54cd61190010090279cd0f9,00.html

Thanks a lot,
Wodisch
Santosh Nair_1
Honored Contributor

Re: Security concerns about MS Frontpage extensions

I've actually installed the FP extension for Apache on a HP machine. It seems to work quite transparently. Basically the install script dumps a bunch of files in directories under DocumentRoot with names like _vti_bin, _vti_cnf, etc. It uses HTML and CGI utilities to do its work and the .htaccess method for security, with passwords and groups stored in /_vti_pvt/service.pwd and _vti_pvt/service.grp respectively.

There are no special deamons that are running on the system. I haven't tried to break the CGI scripts (executables) yet, but if anywhere, that would your weakest security link.

Hope this helps

-Santosh
Life is what's happening while you're busy making other plans