[4077] in WWW Security List Archive
Re: Front-Page extensions?
daemon@ATHENA.MIT.EDU (bracha@eye-on.co.il)
Sun Jan 26 14:47:18 1997
From: bracha@eye-on.co.il
Date: Sun, 26 Jan 1997 19:51:06 +0200
To: Darren Cook <darren@factcomm.co.jp>
CC: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Darren Cook wrote:
>
> >I'm wondering what your opinions are about the Front-Page server
> >extensions? I've been asked to look into it for my site, just reading the
> >docs now. Any comments are welcome.
>
> I was playing around with it last week.
> I noticed two problems with the bot (ie. built-in cgi functionality) that
> puts your comments into a file.
>
> The first is that it puts the file into the web directory tree by default,
> and it is possible for everyone to read that file (there are no links to it,
> so you need to know the filename). I think it should be possible to put it
> somewhere outside the directory tree, or password-protect it, but I could
> not find the way to do that quickly.
>
> The second is a problem that you will find in many cgi scripts, not just
> FrontPage. If you the data is being put into a HTML file, then you can put
> HTML in and alter the formatting of the message you are giving.
> This can be abused: I put "<!--" at the end of my message. The messages I
> put in after that did not appear.
>
> Darren
Take me off this dumb list!!!!!Take me off this dumb list!!!!!Take me
off this dumb list!!!!!Take me off this dumb list!!!!!Take me off this
dumb list!!!!!
