[9769] in bugtraq
Re: Frontpage extensions under Apache 1.3.4
daemon@ATHENA.MIT.EDU (Frank Miller)
Tue Feb 23 19:54:02 1999
Date: Tue, 23 Feb 1999 10:35:43 -0800
Reply-To: Frank Miller <frankm@BEND.OR.US>
From: Frank Miller <frankm@BEND.OR.US>
X-To: "Neulinger, Nathan R." <nneul@umr.edu>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <9DA8D24B915BD1118911006094516EAF019C7F43@umr-mail02.cc.umr.edu>
Marc/Nathan and other bugtraq folk,
I utilized fp-patch_apache.1.3.0. It performed changes to httpd.h,
httpd_request.c, util.c and of course dumped mod_frontpage.c.
Ya'll are correct in that the actual extentions/CGI's are not avaialable.
Sorry for the net misunderstanding!
I should know better than to send e-mail public in the wee, wee hours of the
morn after staying up for a few days working ;}.
Frank
> -----Original Message-----
> From: Neulinger, Nathan R. [mailto:nneul@umr.edu]
> Sent: Tuesday, February 23, 1999 9:20 AM
> To: 'Frank Miller'; BUGTRAQ@netspace.org
> Subject: RE: Frontpage extensions under Apache 1.3.4
>
>
> The only thing you get source to is the setuid portion and the
> apache patch.
> What good does that do you? You still have to trust everything that the
> setuid routine runs... (i.e. the frontpage executable itself)
>
> I have managed to get frontpage installed in a chrooted
> environment. This is
> about the only way I'd even vaguely consider installing it. I
> have it set up
> for virtual hosted customers (at a local isp) that have chosen to
> _only_ use
> frontpage. They either get regular access to a normal virtual
> host, or they
> get a frontpage host.
>
> -- Nathan
>
> ------------------------------------------------------------
> Nathan Neulinger EMail: nneul@umr.edu
> University of Missouri - Rolla Phone: (573) 341-4841
> Computing Services Fax: (573) 341-4216
>
> > -----Original Message-----
> > From: Frank Miller [mailto:frankm@BEND.OR.US]
> > Sent: Monday, February 22, 1999 1:36 PM
> > To: BUGTRAQ@netspace.org
> > Subject: Re: Frontpage extensions under Apache 1.3.4
> >
> >
> > Source is available for Apache FP extentions up to Apache
> > 1.3.*. Have not
> > performed an audit
> > of the source. I have suceeded with minimal munging to apply
> > the patch to
> > Apache 1.3.4.
> >
> > They are rather well hidden on the Microsoft FrontPage admin
> > web site ;].
> >
> > Frank
> >
> > > -----Original Message-----
> > > From: Bugtraq List [mailto:BUGTRAQ@netspace.org]On Behalf
> > Of Alan Brown
> > > Sent: Sunday, February 21, 1999 7:16 PM
> > > To: BUGTRAQ@netspace.org
> > > Subject: Re: Frontpage extensions under Apache 1.3.4
> > >
> > >
> > > On Fri, 19 Feb 1999, Sitzkrieg Redundus wrote:
> > >
> > > > I spent the bulk my time a few days back convincing the
> > Frontpage 98
> > > > extensions and Apache 1.3.4 (patched with patch version
> > 3.0.4.3) to play
> > > > nicely. After banging my head against it for a few hours, I got
> > > things to
> > > > what I thought was a workable point, and fired up httpd. And
> > > got an error
> > > > back about there being a syntax error on line 1 of /dev/null.
> > >
> > > Has anyone properly audited the current Front Page
> > extensions for any
> > > Apache server? My understanding is that these are available soley as
> > > binary/object files and inspection of source is impossible.
> > >
> > > I'd love to know if this has changed, as we refuse to install FP
> > > extensions because for all we know they may be swiss cheese.
> > >
> > > Many other apache server admins will have taken the same position.
> > >
> > > AB
> > >
> >
>
