|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Visible user list in FrontPage permissions (larger problem)
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Visible user list in FrontPage permissions (larger problem)
- From: Michael Thomas <mikemathbox.com>
- Date: Fri, 3 Jul 1998 14:15:57 -0400
- Comments: To: securemicrosoft.com
- Reply-To: Michael Thomas <mikemathbox.com>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
The FrontPage server extensions documents how to block the display of the complete server user database, but misses some points... The example shows that for a web site named www.yourdomain.com on port 80, that one should create the restriction group FP_www.yourdomain.com:80. This indeed works when the FrontPage user enters www.yourdomain.com in the "Open FrontPage Web" dialog. However, if the web site has the IP address 10.1.1.1 and the user enters 10.1.1.1 in the "Open FrontPage Web" dialog, the entire user list is visible. This can be blocked by defining the local group FP_10.1.1.1:80, but it must be defined. Further if the domain is assigned the same IP address, the user could also enter yourdomain.com and the entire user list would be visible. Again. it can be blocked by creating the local group FP_yourdomain.com:80. If you don't understand that a domain can have an IP address, talk to you DNS operator. Some customers have multiple domains mapped to the same address. For example, myotherdomain.com also has the IP address 10.1.1.1 and the node www.myotherdomain.com also has the address 10.1.1.1. So if the user enters either myotherdomain.com or www.myotherdomain.com in the "Open FrontPage Web" dialog, the entire user list is visible. Again block these by defining FP_myotherdomain.com:80 and FP_www.myotherdomain.com:80. If you don't understand how domain mapping works, talk to your DNS operator. And the final problem is a web site that also has SSL running (likely port 443). All of the local groups defined as FP_xxx:80 must also exist as FP_xxx:443. Mostly, the problem is with the documentation and as described, it is not intuitively obvious. The good news is that the security problem can be fixed. Michael Thomas System Operations Mathbox, Inc.
- Prev by Date: Security issue over IIS3 and IIS4 - Additional information
- Next by Date: Visible user list in FrontPage permissions (CNAMES also)
- Prev by thread: Security issue over IIS3 and IIS4 - Additional information
- Next by thread: Visible user list in FrontPage permissions (CNAMES also)
- Index(es):