Re: [cobalt-users] Cobalt wishlist

[Will DeHaan <will@xxxxxxxxxx>]

Paul Schreiber wrote:
> 
> --- Chris Adams <cmadams@xxxxxxxxxx> wrote:
> > > You *are* aware that any site web can turn CGI and SSI back on at will
> > > when they are turned off in the GUI by default...? (bu simply adding
> > handlers
> > > in .htaccess, unless you intentionally make it non readable to the user)
> >
> > There is a security hole here too (I reported it over a month ago and
> > they said they are working on a fix, but they haven't released one yet).
> >
> > Part of the problem is that the wonderful FrontPage extensions require
> > "AllowOverride All" in the web config file.
> 
> Report it to bugtraq. That'll get it fixed -real- fast. :-)

Oh please don't, we're testing multiple changes for Frontpage to fix
this problem and I don't want to rush anything to you before it's well
tested.

Frontpage site web content will undergoe an ownership change from httpd
to nobody.  Group ownership as-is.  I'm trying out some other changes as
well, like selectively enabling "AllowOverride All" to only sites
regions with the FPX enabled.  Non-trivial, and a very hard change to
make in the field on a live system without breaking frontpage services.

So, inter-site frontpage web data access through shared user "httpd"
access through .htaccess enabled scripting will be eliminated.  If
possible we'll put the clamps down on AllowOverride.

Be patient, fixes are in the works, more time == better quality.  You
all seem to appreciate the difficulty in convincing FPX to live with
less privilege.


	-- Will


> 
> www.security-focus.com
> 
> Paul
> 
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users