Re: [cobalt-users] Security issues with FP2000 + Linux and apache mod

[Kris Dahl <kris@xxxxxxxxxxxxx>]

on 2/29/00 1:09 PM, jonathan at jjma@xxxxxxxxxxxxxx wrote:

> hi
> 
> I was discussing the beauties of the FrontPage extensions which were giving
> trouble to a web site I was developing using fp ext on an NT server. I
> phoned the tech dept, discussed fp extensions in detail on cross platforms
> and he said that if using fp ext on a Linux system then there are serious
> security issues. (He is a Linux man at heart with hosting support for NT and
> Linux.)
> 
> My question:
> 
> Is the raq open to a potential hack because of FP extensions opening a back
> door. Has anyone had FP on there server and pulled it when building a site
> for eccomerce.
> 
> Is there any reason why FP extensions are included with the raq, I mean the
> Raq2 and Raq which runs mips.
> 
> My quirk is if Linux + FrontPage is a no no, should I take out all FP ext
> where SSL is used?

FP Extensions on Linux aren't so much the issue--its Front Page Extensions
on any platform.

Take a look at this page:
http://www.attrition.org/mirror/attrition/
That's a mirror of defaced websites.  The vast majority are NT servers--many
of the security holes that allowed the 'hackers' to deface the pages are a
result of Front Page extensions.

I don't run it for these reasons.  The best you can do is keep up on
BugTraq, CERT, etc. for security advisories, and apply the neccessary
patches, etc.

-k