[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Security issues with FP2000 + Linux and apachemod

Subject: Re: [cobalt-users] Security issues with FP2000 + Linux and apachemod
From: Will DeHaan <will@xxxxxxxxxx>
Date: Tue Feb 29 17:14:10 2000
Organization: Cobalt Networks

No Cobalt servers use the FrontPage Apache Mod.  No web-based Frontpage
(client) web administration is supported, that's what the Cobalt
administrative web interface is for.  All Frontpage binary exploits will
be limited to site administrator or user httpd privilege.  

Stock Frontpage for unix/linux could experience root exploits due to
publicly accessible suid root Microsoft code.

Frontpage, like any service, is susceptible to security exploits. 
However, because Frontpage is not open source software, it is far more
likely to be exploited than most OSS services.  If you're trying to run
a secure server, less services running often means less risk of a
security compromise.  Common sense, yes?  

There are no known security issues with FrontPage services on any Cobalt
server.  Again, the FrontPage server extensions that are integrated into
Cobalt servers is very different than the standard FrontPage
distribution for Linux!!

	-- Will

Kris Dahl wrote:
> 
> on 2/29/00 1:09 PM, jonathan at jjma@xxxxxxxxxxxxxx wrote:
> 
> > hi
> >
> > I was discussing the beauties of the FrontPage extensions which were giving
> > trouble to a web site I was developing using fp ext on an NT server. I
> > phoned the tech dept, discussed fp extensions in detail on cross platforms
> > and he said that if using fp ext on a Linux system then there are serious
> > security issues. (He is a Linux man at heart with hosting support for NT and
> > Linux.)
> >
> > My question:
> >
> > Is the raq open to a potential hack because of FP extensions opening a back
> > door. Has anyone had FP on there server and pulled it when building a site
> > for eccomerce.
> >
> > Is there any reason why FP extensions are included with the raq, I mean the
> > Raq2 and Raq which runs mips.
> >
> > My quirk is if Linux + FrontPage is a no no, should I take out all FP ext
> > where SSL is used?
> 
> FP Extensions on Linux aren't so much the issue--its Front Page Extensions
> on any platform.
> 
> Take a look at this page:
> http://www.attrition.org/mirror/attrition/
> That's a mirror of defaced websites.  The vast majority are NT servers--many
> of the security holes that allowed the 'hackers' to deface the pages are a
> result of Front Page extensions.
> 
> I don't run it for these reasons.  The best you can do is keep up on
> BugTraq, CERT, etc. for security advisories, and apply the neccessary
> patches, etc.
> 
> -k
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- Re: [cobalt-users] Security issues with FP2000 + Linux and apache mod
  - From: Kris Dahl

Prev by Date: Re: [cobalt-users] RAQ3, Cant keep time??
Next by Date: Re: [cobalt-users] Qube 2 port forwarding/redirection - how?
Previous by thread: Re: [cobalt-users] Security issues with FP2000 + Linux and apache mod
Next by thread: [cobalt-users] Installing Pkg's and Active Monitor

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index