Hi,

On another thread asking what Front Page server extensions are, DaddyPops kindly provided this link to Front Page server extensions for Unix:

http://www.rtr.com/fpsupport/fp2002eula.htm

Rather than ask the below on that thread, I thought a new thread was appropriate to avoid "thread subject matter creep".

After looking at the site linked above, I noticed the downloads listed mention older versions of Red Hat Linux (7.0) and FreeBSD (4.0). Of course, RH Linux is not at version 7.2; and FreeBSD is at 4.5 RELEASE.

I read some discussion threads on the site. Seems lots of folks are having trouble getting this to work right. Of course, it may just be their errors -- or the software might be buggy; I can't say of course.

What I'm wondering about is:

1) How likely is is that installing these front page extensions for Linux and FreeBSD would make the system less stable -- and thus more prone to server downtime and other undesirable server behavior? Anyone know?

2) By installing these Front Page sever extensions on a unix system, is one opening up security holes on the server that would not be there except for these Front Page extensions?

3) What percentage of hosting customers MUST have these extensions -- or they will take their business elsewhere? Is there a large percentage of hosting customers out there who refuse to learn to upload via a ftp program they can download and use for free?

Thank you for sharing your insight into this!

Take care,

Louis

Hello Louis,

To be very brief:

1) Very likely.

2) Yes indeed.

3) Unfortunately a lot!


Even though I truly believe that FrontPage is c**p, a huge percentage of customers request them, so if you want to be competitive, you must offer them. :)

Yes you are bound to lose customers if you do not have frontpage extensions, it seems as though everyone is using them.
For the life of me, I cannot understand why.

We have one customer who claims to be a webmaster "with over 10 years of experience" that demands his frontpage extensions working (there was a problem with the ones on his domain...that we fixed)

I found it hard to believe that a webmaster, that's been around since the beginning of the internet, doesn't know better than to use FP, but it seems that anything is possible :rolleyes:

I'm unsure about the security issues related to FPx with a win32 server, but with linux or unix they only present seciruty issues. They are very vulnerable and shuld never be used, unless of course your more interested in your cash and image then the security of your system ; ). As you will see, simply by the number of webhosts that do offer FPx's most dont give two s**ts about there systems security, or the security of their users information.

It depends. If you are reaching out to the developer community, then FP won't be needed at all.

If you are reaching out to the average person community, then yes FP is a must.

1. The FrontPage extensions do not make anything less stable on UNIX. I'd like to see the evidence from those that claim so.

2. There are no additional security concerns running the FrontPage extensions on UNIX. If you know of vulnerabilities, please report them so that they can be corrected.

3. Approximately 10% of our customers have a FrontPage Root Web created, but then we advertise FrontPage hosting and are Microsoft authorized FrontPage web presence providers.

Hi

As far as I can see the only real issue is one of cost, FrontPage/Windows NT/2000/XP server vs the rest.

Lets not forget that its become cool to bad mouth all things Microsoft.

As for me, I will stick with FrontPage, it gets the job done and in the end thats all I want.

Regards
Michael

the latest release, thank my sec admin for the link.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:17.mod_frontpage.asc

Originally posted by stlouislouis


What I'm wondering about is:

1) How likely is is that installing these front page extensions for Linux and FreeBSD would make the system less stable -- and thus more prone to server downtime and other undesirable server behavior? Anyone know?

2) By installing these Front Page sever extensions on a unix system, is one opening up security holes on the server that would not be there except for these Front Page extensions?

3) What percentage of hosting customers MUST have these extensions -- or they will take their business elsewhere? Is there a large percentage of hosting customers out there who refuse to learn to upload via a ftp program they can download and use for free?

Thank you for sharing your insight into this!

Take care,

Louis

We have FP Extensions installed on our Linux server which has never caused any downtime or it to be less stable than not having them installed... to us - we haven't noticed a difference one way or another.

As for security holes, you can check the TechNet provided by Microsoft and do a search on FrontPage Extensions. Otherwise, if Security is any issue, there are various components, scripts, etc to lock down directories and so on.

On another note , I have found some issues with using SSL with a FrontPage form.... we have tried everything from uninstalling and reinstalling the extensions, copying the config file to include port 443 in addition to the default port 80 as well as publishing our entire site to https:// vs. http://.

Has anyone else had this issue or better yet has anyone resolve this issue? If so, how?

This is the myth... FrontPage Exts on Unix is less stable and less secure.. BS!

I have never seen.. Not once in the all the years working on FP on Unix a single PROPERLY configured server/account hacked,damaged,crash due to FP.

If you install it then there goes .htaccess! (You can't use .htaccess anymore)

HA, yes, and I'm going to trust your opinion over an advisory from FreeBSD.org? I think not. More over, configured properly? What a f**king joke. Take a look at some of the people posting on this board. You honestly think even half of them can configure an NT or SysV/POSIX "properly". Which is fine, everyone has to start somewhere. Also, the repliers wish to have documentation on my claims that they are infact insecure? Fine, you present the same. You counter that advisory with documented useage of a FrontPage Extention used on a SysV or POSIX server that is secure and not vulnerable. If you can't? Then at the very least mellow out your replies. Calling my post "BS" without being able to prove it is stupid, and rude.

WOooo..!!! Wait one second. You are way out of line.

1) I did not call your post BS. I called the myth about FP being insecure on Unix BS. For 5 years I have NEVER seen a properly conigured unix server exploited.

2) I never made any claim about anyones skills.

3) People do not going around writing advisories about software being "Secure", that my friend is a joke.

4) Yes. You should take my word over an advisory that is outdated and meaningless if you setup up your server properly.

5) I did not even read your post. I read the first 2 posts and clicked reply. So my friend.. you owe me an apology for calling me stupid and rude. You also owe thousands of other people that use this board an apology.

I did a search on several security sites and did not find a single current advisory about FrontPage on Unix. Fact.. There has been more security advisories against PHP,Apache,Sendmail, BIND, wu-ftp, ProFTPD..... Should I go on? All of these are applications that run on Unix. Are you saying the world is a joke for runing these applications because they have security advisories.

Thank you.


Originally posted by jambler
HA, yes, and I'm going to trust your opinion over an advisory from FreeBSD.org? I think not. More over, configured properly? What a f**king joke. Take a look at some of the people posting on this board. You honestly think even half of them can configure an NT or SysV/POSIX "properly". Which is fine, everyone has to start somewhere. Also, the repliers wish to have documentation on my claims that they are infact insecure? Fine, you present the same. You counter that advisory with documented useage of a FrontPage Extention used on a SysV or POSIX server that is secure and not vulnerable. If you can't? Then at the very least mellow out your replies. Calling my post "BS" without being able to prove it is stupid, and rude.

Originally posted by remarkable
People do not going around writing advisories about software being "Secure", that my friend is a joke.


I'm not asking for a advisory, I'm asking for an explaination, either in your own words, or a simple link. On why you believe FPx to no longer be a security risk.

An appology to you? No, the remark that you are "stupid, and rude." is/was dependent on your being able to prove your statements, which you have yet to do. Though, if it had been clear that your reply, had been written without reading the post directly above it, yes, my remarks would have been frased differently. Also, appologies to the thousands. Again I beg to differ. I don't doubt there are many, MANY, educated persons that post to this forum. However!, when I see "Admins" (forgive me for using you as an example" asking where his syslogs are stored, or * people requiring control panels to run their servers. I'm sorry, but that doesn't present a good "standard of education" for the "posties".

Sorry Jambler you are the one being rude. Not just rude but arrogant.

My original statement.

I have never seen.. Not once in the all the years working on FP on Unix a single PROPERLY configured server/account hacked,damaged,crash due to FP.


I don't know where you come from.. But in my world you need to prove the insecurity of something. Things are secure untill you prove it to be insecure.

Can you prove that FP on Unix is inseucre. Can you show me a single documented case of a PROPERLY configured Unix server being hacked trough FP? You claim to have FreeBSD advisories, where are they? Can you post the link to a current advisory that details an exploit in FrontPage?


Documentation you are asking for does not exist. The security community does not go around trying to prove something is secure. They try to break things and show that things are insecure.

I'm standing by my opinion and experience. I have never seen or heard of a PROPERLY configured Unix server exploited through FrontPage. I have been in the WebHosting business sine 1995. Starting working on FP since Version 1.5



Originally posted by jambler


I'm not asking for a advisory, I'm asking for an explaination, either in your own words, or a simple link. On why you believe FPx to no longer be a security risk.

An appology to you? No, the remark that you are "stupid, and rude." is/was dependent on your being able to prove your statements, which you have yet to do.

yes of course, im out of line. im sorry.

UNIX is not like Windows. Installing software isn't going to cause instability unless it affects the kernel or main libraries. The only security issues I've seen are people not configuring their own site properly, allowing anyone with FrontPage to edit their site. That doesn't leave the whole server vulnerable, just that one particular FrontPage site.

Its a shame that macromedia or adobe don't offer dreamweaver or go live in a "simpler" version. Something that doesn't have as many features as the full version but is competitive with frontpage in price. Then this really wouldn't be an issue.

When consumers are looking for products , unfortunately they look at price as the deciding factor...most of the time. Since dreamweaver is what? $300-$400 then frontpage is $125 they will most likely buy frontpage. not knowing that they are restricting themselves to piece of software that wants to make things work its way instead of be able to use something that works with just about everything.

Personally I recommend dreamweaver to any customers looking for something similar to frontpage. Hopefully more will see the light...

Originally posted by roly
If you install it then there goes .htaccess! (You can't use .htaccess anymore)

this couldn't be MORE WRONG

if you have an existing website and install fp extensions, I don't know if it does anything with .htaccess (it may), but with fp extensions installed you can modify & create as many .htaccess files as you want. most hosts that offer FPexts and also have tools in the control panel that modify .htaccess only allow you to do one or the other, because many of those control panel tools are buggy. but you can edit the .htaccess file manually all you want and FrontPage doesn't care (and doesn't get rid of your changes either).

I know that FP98 is worse at this because you can't set folder passwords and such with it, so you HAVE to edit .htaccess manually, but I think FP2000 is better and can do more of this for you

Originally posted by jambler
the latest release, thank my sec admin for the link.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:17.mod_frontpage.asc

That link is to the FreeBSD port of the improved mod_frontpage.

"mod_frontpage is a replacecement for Microsoft's frontpage apache patch to support FP extensions. It is installed as a DSO module."

This obviously does not apply to the FrontPage extensions and apache patch released by RTR and Microsoft.

Originally posted by jambler
HA, yes, and I'm going to trust your opinion over an advisory from FreeBSD.org? I think not. More over, configured properly? What a ... joke. Take a look at some of the people posting on this board. You honestly think even half of them can configure an NT or SysV/POSIX "properly". Which is fine, everyone has to start somewhere. Also, the repliers wish to have documentation on my claims that they are infact insecure? Fine, you present the same. You counter that advisory with documented useage of a FrontPage Extention used on a SysV or POSIX server that is secure and not vulnerable. If you can't? Then at the very least mellow out your replies. Calling my post "BS" without being able to prove it is stupid, and rude.

That advisory had nothing to do with the FP extensions release by RTR and Microsoft, but someone else's hack. And I doubt that the vulnerability won't be patched.

Mod_frontpage is as secure as suexec for apache. I don't go around saying that suexec is unsecure and that people who run it are more interested in cash and their image.

PS: Our FrontPage implementation is secure and not vulnerable. I have also done a code review on the apache patch and saw no problems.

Hello,

I would like to address some of the comments in this thread...

1. Never had a problem with .htaccess and front page, just don't use front page password protection for folders.

2. Never had heard of instability with linux.

As for security i found the following information from SecurityFocus...

Microsoft FrontPage Sensitive Page Attack

This event indicates that a remote user is attempting to view certain pages offered by Microsoft's Frontpage server. The page views in and of themselves are not attacks and are not attempting to exploit any particular vulnerability.

However, the files that are being requested are not those that are typically associated with regular user access and are related more to administrative work. This particular signature checks for the following pages being requested: FrontPage-author.exe, FrontPage-cfgwiz.exe, FrontPage-contents.htm, FrontPage-form_results, FrontPage-Fpadmcgi.exe, FrontPage-fpremadm.exe, FrontPage-fpsrvadm.exe, FrontPage-orders.htm, FrontPage-orders.txt, FrontPage-register.htm, FrontPage-register.txt, FrontPage-registrations.htm, FrontPage-registrations.txt, FrontPage-service.cnf, FrontPage-service.stp, FrontPage-services.cnf, FrontPage-shtml.dll, FrontPage-svcacl.cnf, FrontPage-users.pwd, FrontPage-writeto.cnf.

This may be indicative of an intelligence-gathering probe or a remote user attempting to view sensitive information such as usernames and passwords, shopping cart information etc.

This signature may also be triggered if there has been an attempt to access the directory /_vti_bin. This particular directory is accessed during the payload of the highly prolific worm, Nimda.

Originally posted by gcjeepster
...On another note , I have found some issues with using SSL with a FrontPage form.... we have tried everything from uninstalling and reinstalling the extensions, copying the config file to include port 443 in addition to the default port 80 as well as publishing our entire site to https:// vs. http://.

Has anyone else had this issue or better yet has anyone resolve this issue? If so, how? [/B]

The only known issue with the FrontPage 2002 extensions is that you can not manage an SSL and a NON-SSL site on the same host name with the FrontPage client.

Maybe that's your problem?