Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: Re: Frontpage Extensions
From: Marc Maiffret (marcEEYE.COM)
Date: Sat Oct 28 2000 - 12:52:15 CDT
- Next message: Seth Osher: "Re: IIS and SSL certificates."
- Previous message: Lucas Holt: "Re: $IPC on Windows NT ?"
- In reply to: Florian Duerr: "Re: Frontpage Extensions"
- Reply: Marc Maiffret: "Re: Frontpage Extensions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
FP seems to get ripped on a lot about security (by people who really don't
know anything more then the other mindless dribble they've heard from other
people who don't know anything) and as you've shown the latest versions are
(or have been so far) rather secure. The reason FP usually reads as insecure
is from older FrontPage holes (i.e. nt4,opt4, allowed anyone to deface your
website by default) or poor FP installations which like any poor
installation can lead to insecurities. However, the real reason (at least my
personal reason) why I think FP server extensions are "bad" for security
(much like any feature you don't truly need) is because of their track
record and the amount of features they are trying to pack into FP
extensions. Also because of the number of developers working on different
parts of FP and piecing all of it together with duck tape.
So I guess what I am trying to say (in the short non late night babbling
version) is that FP server extensions are secure for the moment and most
people that rip on FP extensions are just talking out of their ass. However,
as you will see in a week or two, FP has a bad track record with security
and they shall continue to (unless major changes happen). Stay tuned for the
Chief Hacking Officer
eCompany / eEye
On a personal non-security note, I agree that FP as an
application/server/whatever does indeed "suck" but then again my mom grasps
it a lot easier then dream weaver/fireworks.
|From: Focus on Microsoft Mailing List
|[mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Florian Duerr
|Sent: Wednesday, October 25, 2000 9:30 AM
|Subject: Re: Frontpage Extensions
|i think your words about the fp2k-server-extensions are a little to strong.
|i'm the webmaster an server administrator in one person of a web-server,
|which has also the function of a dns-server and mail-server under w2k. it
|all works fine, if the server administrator has done his homework learning
|about the products he/she uses ;-)
|i wouldn't say, fp2k-server extensions are THE addon for a web-server, but
|they work nice for beginners and intermediate users which won't spend time
|in programming rather than in designing.
|correctly configured and with the newest patches applied (see
|www.microsoft.com) they aren't insecure. i don't know of any
|had ever problems with hacking/intrusion. however, mind this:
|a) double-check the security on your web-directory (on ntfs) AFTER the
|extensions were applied to the web
|b) don't ever share the web-directory (why should you? ;-) with
|c) restarting iis after applying the extensions is always a good idea!
|d) set another server-operator than the "administrator" under the
|in the iis-mmc
|i like the server extensions in combination with programming!
|Systems Engineer / MCP
| >Not to be too critical of any specific technology, but I have always
| >the opinion that Front Page server extensions were a horrible idea from
| >very beginning. I'll briefly review my reasons for saying this:
| >1) I have glanced over a good deal of bug reports and problem
| >statements regarding the extensions when used in the Windows
| >My reading in this area has only been cursory since I will never let
| >use FP2K extensions on any of the boxes that I administrate.
|As far as I
| >tell, problems abound.
| >2) The extensions are really just a glorified workaround for users who
| >can't seem to manage to understand how an FTP client works. If someone
| >doesn't know how to work in a virtual site root and then
|upload the site
| >a server, what in the world are they doing as a Webmaster?
|Also on that
| >3) Why would anyone even remotely serious about creating a
| >site use a design tool as poor as MS Front Page? (Sorry, I
|guess I hold
| >great deal of animosity in me from back when I was working in
| >and all around me people were making this awful cookie-cutter HTML with
| >Front Page 3 and so forth. Overall, though, it's hard to deny
| >poor HTML editing tool.)
| >Overall, I usually am of the opinion that Front Page
|extensions aren't a
| >very good idea on ANY platform. Frankly, I've never even heard of
| >use them on an Apache/UNIX system.
| >Brian Rea
| >Internet Solutions Specialist
| >----- Original Message -----
| >From: "Christopher Tresco" <ctrescoMIT.EDU>
| >To: <FOCUS-MSSECURITYFOCUS.COM>
| >Sent: Thursday, October 19, 2000 11:17 PM
| >Subject: Frontpage Extensions
| >> I'm not sure if this is the right place for this question, but I'll
| >> anyways.
| >> I am wondering what possible security issues I would have by
| >> Frontpage 2000 extensions under Apache for UNIX??
| >> Anyone knowledgeable about these things?