[ale] need advice on adding frontpage ext to Apache
michael mcdermott
m at wroth.com
Fri Dec 18 14:30:53 EST 1998
Actually, no, it can run as any user, it is just recommended that it run at
higher permissions than the webserver, we set up ours to run as the ftp user.
Mike Fletcher wrote:
>
> >>>>> "Steven" == Steven A DuChene <sad at hpuerca.atl.hp.com> writes:
>
> Steven> We are doing some server replacement here and have
> Steven> convinced the admin folks to go with Apache but they
> Steven> insist on adding the frontpage extensions to the server
> Steven> "in case" anyone wants to use that for publishing web
> Steven> pages. Several of us in the know have a pretty good idea
> Steven> that this is NOT a good thing but we would like info or
> Steven> actual evidence to present on why that is.
>
> Steven> So if anyone has addition info we could present on why
> Steven> frontpage extensions are a bad idea to put on a
> Steven> Apache/Unix system please let me know.
>
> First off, they're from M$. :)
>
> Seriously though, from what I remember the `fpexe' program has
> to run as root and the "security" it uses to guarantee it's only run
> from apache is kinda weak. IIRC the module only available for apache
> 1.2, not the current 1.3 version (unless they've released new
> versions). So aside from the fact that they open some security holes,
> you have to run an out of date version of apache that may still have
> holes of its own.
>
> I couldn't find anything recent, but you might check out the
> following page from the guy who first discovered the exploit (says it
> was last updated over a year ago):
>
> http://www.worldgate.com/~marcs/fp/
>
> If you pull existing pages into frontpage, abandon all hope of
> using them with any other WYSIWYG HTML editor or using the pages on a
> non-frontpage server (even for plain vanilla pages). There's also the
> fact that frontpage creates hideous HTML and does nasty things like
> inserting M$ specific characters (ever wondered why some pages have
> garbage high-bit set characters in seemingly random places?). For
> more information and a perl script to correct some of the crap output
> that fp produces:
>
> http://www.fourmilab.ch/webtools/demoroniser/
>
> I've played around with NetObject's Fusion demo version and
> it's pretty nice. Granted there's a higher price tag ($295 retail,
> probably a bit less mail order), but it works without any need to
> modify the server and it's a complete site management program (not
> just an HTML editor). There's also PageMill from Adobe, but I've
> never used it so I can't really comment one way or the other.
--
"Of course the void is nothinginess. By knowing things that exist,
you can know that which does not exist. That is the void."
-Shinmem Musashi, The Book of the Void.
More information about the Ale
mailing list