[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Cobalt wishlist
- Subject: Re: [cobalt-users] Cobalt wishlist
- From: Chris Adams <cmadams@xxxxxxxxxx>
- Date: Wed Apr 5 14:32:56 2000
Once upon a time, Robert G. Fisher <rfisher@xxxxxxxxxxxxxxx> said:
> On Wed, Apr 05, 2000 at 03:32:21PM -0500, Chris Adams wrote:
> > When I had the cgiwrap problem, it was more serious because not only was
> > it a security problem but it broke functionality. The current problem I
> > know of doesn't break any functionality, it just lets anyone on a RaQ
> > edit all FrontPage sites on the RaQ.
>
> Not really. On the RaQ, FP97 extensions are installed. The
> configuration still relies on .htaccess files which generally
> point the AuthUserFile and AuthGroupFile to ./_vti_pvt/service.pwd
> and ./_vti_pvt/service.grp and restrict PUT and POST in the
> ./_vti_bin/ directories to use administrators or authors group
> from service.grp. (FP uses CGI's POST method to upload all pages.)
That is not where the bug is. It doesn't matter what version of the FP
extensions are installed. If your site is uploaded through the FP
interface, anybody with an account on that RaQ can edit your site
(add/modify/delete pages). If you don't believe me, give me a site on
your RaQ. :-)
--
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.