Re: Security aspects of Microsoft FrontPage server extensions?

• To: Prentiss Riddle <riddle@is.rice.edu>
• Subject: Re: Security aspects of Microsoft FrontPage server extensions?
• From: "Robert S. Muhlestein" <robertm@teleport.com>
• Date: Thu, 8 Aug 1996 10:16:31 -0700 (PDT)
• cc: www-security@ns2.rutgers.edu
• In-Reply-To: <199608072118.QAA14551@is.rice.edu>
• Newsgroups: teleport.support.cgi, teleport.support.htm, teleport.support.www
• Reply-To: "Robert S. Muhlestein" <robertm@teleport.com>

Perhaps the rule seems too simple for most to follow.  Perhaps some
simply don't have stomach enough to say "no" to Microsoft.  Whatever the
reason, installing any binary into cgi-bin without first reviewing the
source is BAD.  Shame on Microsoft for asking.  It's one thing to have
a browser with security problems.  It's quite a more serious matter for
one's main web server to have security problems.

Besides, how do we know Microsoft hasn't got some secret subroutine
shipping off info about your internal system to Microsoft with every
call to the server extensions.  And you thought cookies were bad...
;)

Until Microsoft makes the source available, and as as long as I work
for this ISP, we will not install these extensions.  In fact, I plan to
post a copy of this notice on our site with a big link that says, "Why
we won't install Microsoft Front Page extensions or any other CGI binaries
without first reviewing the source." Even under CGI wrap we require that the
user's CGI script source be available for inspection at any time.

I'm certainly no security guru; it just seems like simple common
sense to want to see what is running in the most vulnerable part of
one's web server and, potentially, of one's entire network.

Ok, that's it about security.  The rest is unabated Microsoft flaming
(not to be persued in this newsgroup):

Gates says their moving towards "open standards" yet he requires that
every ISP have these extensions to work with his product.  That puts
Microsoft's dirty feet in every ISPs door.  Then he announces future
plans to integrate the browser into the OS
http://www.nytimes.com/library/cyber/week/0729soft.htm (READ: You'll
have to have MSIE to use your computer running Microshaft's future
OS. Bye, bye Netscape.)  Then what?  Bill certainly won't start his own
system of RFCs and the web will be his.  Again, you thought cookies were
bad...  :|

There are a lot of fine, intelligent people who work for Microsoft.
But, as soon as Bill gets his way.  These people _could_ be determining
the standards for everyone.  And it all starts by putting a proprietary
(don't believe the license) Microsoft binary into your server source
sight unseen...  Really, is it too much to ask?

Right now the extensions are free.  But, beware, like a drug pusher,
Bill will get you hooked with the "free" stuff only to nail you once
you're "addicted" by demand from your users who don't know better. He's
already got all the weak-willed junkies calling you everyday to try to get
you hooked.  "Come on.  Just install them for a little while for testing."
Soon, it's too late.  He's hooked a big ISP fish.  Now you can just sit back
and wait to be reeled in at $200/month (or whatever the future license fee
turns out to be to use those security-flawed extensions).

If Microsoft really does support open standards, then let's see 'em put
their source where their mouth is. Come on, Bill.  Let's see even ONE
software release under GNU public license.  Humm... anyone willing to hold
their breath?  Kill the "open standards" marketing crap.  We want
substance.

Just my dva rublya...

Robert Muhlestein
(speaking mostly for myself)
Teleport Internet Services
CGI Guy
robertm@teleport.com

On Wed, 7 Aug 1996, Prentiss Riddle wrote:

> Background: MS FrontPage is a Windows-based WYSIWYG HTML editor.  For
> optimum use of FrontPage, users are instructed to ask their ISPs to
> install the FrontPage "server extensions", a package available for
> numerous HTTP servers and OS platforms that allows FrontPage authors to
> add numerous server-side features to their web pages including threaded
> discussion groups, full-text searches, and forms handling.
>
> Various people have recently reported security problems with the
> Microsoft FrontPage servers extensions.  A quick Alta Vista search of
> recent Usenet articles reveals claims like the following:
>
> 	"The installation under Solaris left my server in a state that
> 	anyone with FrontPage could administer/author the entire Web
> 	server."
>
> Does anyone know whether there are serious security problems with the
> Microsoft FrontPage servers extensions?  Or are problems like those
> that have been reported merely isolated cases of administrator error?
>
> For more information see:
>
> 	Microsoft FrontPage
> 	http://www.microsoft.com/frontpage/
>
> 	Microsoft FrontPage Internet Service Provider Information
> 	http://www.microsoft.com/frontpage/ispinfo/
>
> -- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
> -- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
> -- Home office: 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708
> -- Opinions expressed are not necessarily those of my employer.
>

• Security aspects of Microsoft FrontPage server extensions?
• From: Prentiss Riddle <riddle@is.rice.edu>

• Previous: Tools for integrity checking ??
• Next: Re: Security aspects of Microsoft FrontPage server extensions?
• Index(es):
  • Index
  • Thread