[ale] need advice on adding frontpage ext to Apache

Mike Fletcher fletch at phydeaux.org
Fri Dec 18 13:27:42 EST 1998


>>>>> "Steven" == Steven A DuChene <sad at hpuerca.atl.hp.com> writes:

    Steven> We are doing some server replacement here and have
    Steven> convinced the admin folks to go with Apache but they
    Steven> insist on adding the frontpage extensions to the server
    Steven> "in case" anyone wants to use that for publishing web
    Steven> pages. Several of us in the know have a pretty good idea
    Steven> that this is NOT a good thing but we would like info or
    Steven> actual evidence to present on why that is.

    Steven> So if anyone has addition info we could present on why
    Steven> frontpage extensions are a bad idea to put on a
    Steven> Apache/Unix system please let me know.

	First off, they're from M$. :)

	Seriously though, from what I remember the `fpexe' program has
to run as root and the "security" it uses to guarantee it's only run
from apache is kinda weak.  IIRC the module only available for apache
1.2, not the current 1.3 version (unless they've released new
versions).  So aside from the fact that they open some security holes,
you have to run an out of date version of apache that may still have
holes of its own.

	I couldn't find anything recent, but you might check out the
following page from the guy who first discovered the exploit (says it
was last updated over a year ago):


http://www.worldgate.com/~marcs/fp/


	If you pull existing pages into frontpage, abandon all hope of
using them with any other WYSIWYG HTML editor or using the pages on a
non-frontpage server (even for plain vanilla pages).  There's also the
fact that frontpage creates hideous HTML and does nasty things like
inserting M$ specific characters (ever wondered why some pages have
garbage high-bit set characters in seemingly random places?).  For
more information and a perl script to correct some of the crap output
that fp produces:


http://www.fourmilab.ch/webtools/demoroniser/


	I've played around with NetObject's Fusion demo version and
it's pretty nice.  Granted there's a higher price tag ($295 retail,
probably a bit less mail order), but it works without any need to
modify the server and it's a complete site management program (not
just an HTML editor).  There's also PageMill from Adobe, but I've
never used it so I can't really comment one way or the other.






More information about the Ale mailing list