OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Frontpage Extensions
From: Marc Maiffret (marcEEYE.COM)
Date: Sat Oct 28 2000 - 12:52:15 CDT

FP seems to get ripped on a lot about security (by people who really don't
know anything more then the other mindless dribble they've heard from other
people who don't know anything) and as you've shown the latest versions are
(or have been so far) rather secure. The reason FP usually reads as insecure
is from older FrontPage holes (i.e. nt4,opt4, allowed anyone to deface your
website by default) or poor FP installations which like any poor
installation can lead to insecurities. However, the real reason (at least my
personal reason) why I think FP server extensions are "bad" for security
(much like any feature you don't truly need) is because of their track
record and the amount of features they are trying to pack into FP
extensions. Also because of the number of developers working on different
parts of FP and piecing all of it together with duck tape.

So I guess what I am trying to say (in the short non late night babbling
version) is that FP server extensions are secure for the moment and most
people that rip on FP extensions are just talking out of their ass. However,
as you will see in a week or two, FP has a bad track record with security
and they shall continue to (unless major changes happen). Stay tuned for the
advisory.

Signed,
Marc Maiffret
Chief Hacking Officer
eCompany / eEye
T.949.349.9062
F.949.349.9538
http://eEye.com

P.S.
On a personal non-security note, I agree that FP as an
application/server/whatever does indeed "suck" but then again my mom grasps
it a lot easier then dream weaver/fireworks.

|-----Original Message-----
|From: Focus on Microsoft Mailing List
|[mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Florian Duerr
|Sent: Wednesday, October 25, 2000 9:30 AM
|To: FOCUS-MSSECURITYFOCUS.COM
|Subject: Re: Frontpage Extensions
|
|
|hi brian
|
|i think your words about the fp2k-server-extensions are a little to strong.
|i'm the webmaster an server administrator in one person of a web-server,
|which has also the function of a dns-server and mail-server under w2k. it
|all works fine, if the server administrator has done his homework learning
|about the products he/she uses ;-)
|
|i wouldn't say, fp2k-server extensions are THE addon for a web-server, but
|they work nice for beginners and intermediate users which won't spend time
|in programming rather than in designing.
|
|correctly configured and with the newest patches applied (see
|www.microsoft.com) they aren't insecure. i don't know of any
|collegues which
|had ever problems with hacking/intrusion. however, mind this:
|a) double-check the security on your web-directory (on ntfs) AFTER the
|extensions were applied to the web
|b) don't ever share the web-directory (why should you? ;-) with
|file&printer
|sharing
|c) restarting iis after applying the extensions is always a good idea!
|d) set another server-operator than the "administrator" under the
|extensions
|in the iis-mmc
|
|i like the server extensions in combination with programming!
|
|c ya!
|
|Florian Dürr
|Systems Engineer / MCP
|
|Original Msg:
| >
| >Not to be too critical of any specific technology, but I have always
|been of
| >the opinion that Front Page server extensions were a horrible idea from
|the
| >very beginning. I'll briefly review my reasons for saying this:
| >
| >1) I have glanced over a good deal of bug reports and problem
|workaround
| >statements regarding the extensions when used in the Windows
|environment.
| >My reading in this area has only been cursory since I will never let
|anyone
| >use FP2K extensions on any of the boxes that I administrate.
|As far as I
|can
| >tell, problems abound.
| >
| >2) The extensions are really just a glorified workaround for users who
| >can't seem to manage to understand how an FTP client works. If someone
| >doesn't know how to work in a virtual site root and then
|upload the site
|to
| >a server, what in the world are they doing as a Webmaster?
|Also on that
| >note...
| >
| >3) Why would anyone even remotely serious about creating a
|professional
|Web
| >site use a design tool as poor as MS Front Page? (Sorry, I
|guess I hold
|a
| >great deal of animosity in me from back when I was working in
|Dreamweaver 2
| >and all around me people were making this awful cookie-cutter HTML with
| >Front Page 3 and so forth. Overall, though, it's hard to deny
|that it's
|a
| >poor HTML editing tool.)
| >
| >Overall, I usually am of the opinion that Front Page
|extensions aren't a
| >very good idea on ANY platform. Frankly, I've never even heard of
|someone
| >use them on an Apache/UNIX system.
| >
| >Brian Rea
| >Internet Solutions Specialist
| >onehealthbank.com
| >
| >----- Original Message -----
| >From: "Christopher Tresco" <ctrescoMIT.EDU>
| >To: <FOCUS-MSSECURITYFOCUS.COM>
| >Sent: Thursday, October 19, 2000 11:17 PM
| >Subject: Frontpage Extensions
| >
| >
| >> I'm not sure if this is the right place for this question, but I'll
|ask
| >> anyways.
| >>
| >> I am wondering what possible security issues I would have by
|installing
| >> Frontpage 2000 extensions under Apache for UNIX??
| >>
| >> Anyone knowledgeable about these things?
| >>
|