[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Cobalt wishlist

Subject: Re: [cobalt-users] Cobalt wishlist
From: "Robert G. Fisher" <rfisher@xxxxxxxxxxxxxxx>
Date: Thu Apr 6 05:42:15 2000

On Wed, Apr 05, 2000 at 04:32:56PM -0500, Chris Adams wrote:
> That is not where the bug is.  It doesn't matter what version of the FP
> extensions are installed.  If your site is uploaded through the FP
> interface, anybody with an account on that RaQ can edit your site
> (add/modify/delete pages).  If you don't believe me, give me a site on
> your RaQ. :-)

Okay, now you really have my curiosity up.  Where's the condition
that lets you write to files?  The biggest thing I can see is
a possible CGI exploit in that since all users CGIs run as httpd,
and all FP enabled webs are owned by httpd -- that a malicious
user could put together a small cgi using the POST method to let
any upload a file that posts to a directory tree outside your
own directory.

Is this what you're talking about?  Unfortunately, that's something
I suspect you'd encounter with all ports of FrontPage until you are
able to run the FP extensions to setuid to an admin for a particular
site in each site that has FP enabled.

-- 
Robert G. Fisher		     NEOCOM Microspecialists Inc. 
System Administrator/Programmer      (540) 666-9533 x 116

Follow-Ups:
- RE: [cobalt-users] Cobalt wishlist
  - From: Dan
- Re: [cobalt-users] Cobalt wishlist
  - From: Chris Adams

References:
- Re: [cobalt-users] Cobalt wishlist
  - From: Paul Schreiber
- Re: [cobalt-users] Cobalt wishlist
  - From: Chris Adams
- Re: [cobalt-users] Cobalt wishlist
  - From: Robert G. Fisher
- Re: [cobalt-users] Cobalt wishlist
  - From: Chris Adams

Prev by Date: Re: [cobalt-users] No Root or Admin Access
Next by Date: [cobalt-users] changing default directory
Previous by thread: Re: [cobalt-users] Cobalt wishlist
Next by thread: RE: [cobalt-users] Cobalt wishlist

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index