Date: Fri, 9 Aug 1996 09:11:59 -0500 (CDT) From: Responder #1 To: Scott Fritchie Subject: FrontPage Nice dis of FrontPage server extensions. Saved me the trouble of even looking at them. Thanks. -dave --- snip --- snip --- snip --- snip --- snip --- snip --- snip --- Date: Thu, 8 Aug 1996 20:30:27 -0500 (CDT) From: Responder #2 To: Scott Lystig Fritchie Subject: Re: Security aspects of Microsoft FrontPage server extensions? On Thu, 8 Aug 1996, Scott Lystig Fritchie wrote: > >>>>> On Wed, 7 Aug 1996 16:18:45 -0500 (CDT), Prentiss Riddle said: > > pr> Background: MS FrontPage is a Windows-based WYSIWYG HTML editor. > pr> For optimum use of FrontPage, users are instructed to ask their > pr> ISPs to install the FrontPage "server extensions", [...] > > Translated from marketing-speak, that means: really big CGI > executables. :-) Thanks a huge heap for the depth of this post. I had wondered about Front Page, but no way jose is the only response after this. -- Michael --- snip --- snip --- snip --- snip --- snip --- snip --- snip --- Date: Thu, 8 Aug 1996 10:16:31 -0700 (PDT) From: "Robert S. Muhlestein" Reply-To: "Robert S. Muhlestein" To: Prentiss Riddle cc: www-security@ns2.rutgers.edu Subject: Re: Security aspects of Microsoft FrontPage server extensions? In-Reply-To: <199608072118.QAA14551@is.rice.edu> Perhaps the rule seems too simple for most to follow. Perhaps some simply don't have stomach enough to say "no" to Microsoft. Whatever the reason, installing any binary into cgi-bin without first reviewing the source is BAD. Shame on Microsoft for asking. It's one thing to have a browser with security problems. It's quite a more serious matter for one's main web server to have security problems. Besides, how do we know Microsoft hasn't got some secret subroutine shipping off info about your internal system to Microsoft with every call to the server extensions. And you thought cookies were bad... ;) Until Microsoft makes the source available, and as as long as I work for this ISP, we will not install these extensions. In fact, I plan to post a copy of this notice on our site with a big link that says, "Why we won't install Microsoft Front Page extensions or any other CGI binaries without first reviewing the source." Even under CGI wrap we require that the user's CGI script source be available for inspection at any time. I'm certainly no security guru; it just seems like simple common sense to want to see what is running in the most vulnerable part of one's web server and, potentially, of one's entire network. Ok, that's it about security. The rest is unabated Microsoft flaming (not to be persued in this newsgroup): Gates says their moving towards "open standards" yet he requires that every ISP have these extensions to work with his product. That puts Microsoft's dirty feet in every ISPs door. Then he announces future plans to integrate the browser into the OS http://www.nytimes.com/library/cyber/week/0729soft.html (READ: You'll have to have MSIE to use your computer running Microshaft's future OS. Bye, bye Netscape.) Then what? Bill certainly won't start his own system of RFCs and the web will be his. Again, you thought cookies were bad... :| There are a lot of fine, intelligent people who work for Microsoft. But, as soon as Bill gets his way. These people _could_ be determining the standards for everyone. And it all starts by putting a proprietary (don't believe the license) Microsoft binary into your server source sight unseen... Really, is it too much to ask? Right now the extensions are free. But, beware, like a drug pusher, Bill will get you hooked with the "free" stuff only to nail you once you're "addicted" by demand from your users who don't know better. He's already got all the weak-willed junkies calling you everyday to try to get you hooked. "Come on. Just install them for a little while for testing." Soon, it's too late. He's hooked a big ISP fish. Now you can just sit back and wait to be reeled in at $200/month (or whatever the future license fee turns out to be to use those security-flawed extensions). If Microsoft really does support open standards, then let's see 'em put their source where their mouth is. Come on, Bill. Let's see even ONE software release under GNU public license. Humm... anyone willing to hold their breath? Kill the "open standards" marketing crap. We want substance. Just my dva rublya... Robert Muhlestein (speaking mostly for myself) Teleport Internet Services CGI Guy robertm@teleport.com On Wed, 7 Aug 1996, Prentiss Riddle wrote: > Background: MS FrontPage is a Windows-based WYSIWYG HTML editor. For > optimum use of FrontPage, users are instructed to ask their ISPs to > install the FrontPage "server extensions", a package available for > numerous HTTP servers and OS platforms that allows FrontPage authors to > add numerous server-side features to their web pages including threaded > discussion groups, full-text searches, and forms handling. > > Various people have recently reported security problems with the > Microsoft FrontPage servers extensions. A quick Alta Vista search of > recent Usenet articles reveals claims like the following: > > "The installation under Solaris left my server in a state that > anyone with FrontPage could administer/author the entire Web > server." > > Does anyone know whether there are serious security problems with the > Microsoft FrontPage servers extensions? Or are problems like those > that have been reported merely isolated cases of administrator error? > > For more information see: > > Microsoft FrontPage > http://www.microsoft.com/frontpage/ > > Microsoft FrontPage Internet Service Provider Information > http://www.microsoft.com/frontpage/ispinfo/ > > -- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu > -- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle > -- Home office: 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708 > -- Opinions expressed are not necessarily those of my employer. > --- snip --- snip --- snip --- snip --- snip --- snip --- snip --- Date: Thu, 8 Aug 1996 19:37:25 -0700 To: Scott Lystig Fritchie From: Responder #4 Subject: Re: Security aspects of Microsoft FrontPage server extensions? We have one customer running Frontpage and I agree with everything you say. Security with IIS is by far the most difficult problem to overcome software wise. You have to be very careful installing it out of the box. Otherwise, your fly will be down so far that you will be attracting flys from the surrounding states. But, it's hardly the worst problem. Make sure you have a big "support" or "MIS" budget. We spent so much money and time getting our first customer "up" that we need to get at least ten more now, just to break even. He just won't go away. We spend hours/week on support of this one customer. Every time his web page looks different on a different browser he calls us up to tell us that we are doing something wrong. It's a very dangerous product. It's way to much power in the hands of people who are having trouble with Microsoft Word. Rembember these are the same people who can't figure out how to view their email - never mind the first big button that says "Get Mail". The customer just called up today -- now he want's to write his own CGI application. I almost couldn't contain my laughter. The Frontpage client is also a very "cheap" customer. He's basically trying to find a way around an already very inexpensive web hosting business. -- My prediction is that either Microsoft kills the product after a year because of their own excessive support calls. -or- Microsoft makes sure that as many ISP's are doing the support for them as possible. --- snip --- snip --- snip --- snip --- snip --- snip --- snip --- Date: Mon, 12 Aug 1996 17:42:10 -0400 From: Responder #5 To: Scott Lystig Fritchie Subject: Re: Security aspects of Microsoft FrontPage server extensions? Scott, Thank you very much for this analysis. It's absolutely terrifying! Lincoln