[4022] in WWW Security List Archive
Re: Front-Page extensions?
daemon@ATHENA.MIT.EDU (Darren Cook)
Mon Jan 20 23:48:16 1997
To: www-security@ns2.rutgers.edu
From: darren@factcomm.co.jp (Darren Cook)
Date: Tue, 21 Jan 1997 11:22:52 +0900
Errors-To: owner-www-security@ns2.rutgers.edu
>I'm wondering what your opinions are about the Front-Page server
>extensions? I've been asked to look into it for my site, just reading the
>docs now. Any comments are welcome.
I was playing around with it last week.
I noticed two problems with the bot (ie. built-in cgi functionality) that
puts your comments into a file.
The first is that it puts the file into the web directory tree by default,
and it is possible for everyone to read that file (there are no links to it,
so you need to know the filename). I think it should be possible to put it
somewhere outside the directory tree, or password-protect it, but I could
not find the way to do that quickly.
The second is a problem that you will find in many cgi scripts, not just
FrontPage. If you the data is being put into a HTML file, then you can put
HTML in and alter the formatting of the message you are giving.
This can be abused: I put "<!--" at the end of my message. The messages I
put in after that did not appear.
Darren
