You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Marc Slemko <ma...@worldgate.com> on 1997/10/16 05:00:06 UTC

more on frontpage 98 security

Microsoft has put a page up at:

http://www.microsoft.com/frontpage/wpp/apache.htm

responding to the issue.

I find it funny that they say:

Attn: Apache web server administrators
               Microsoft has discovered a bug with the FrontPage 98
               Server Extensions on the UNIX Apache web server. Read all
               about the details and the fix. 

...of course MS discovered it.  They did, but their discovery was aided a
little bit me thinks.  Well, they do give appropriate credit (and even a
reference to my fp security hell web page, although for some reason they
don't use the title for the name of the link... <g>) on the actual page
they posted.

Aside from being unable to copy a URL (worldgate.com != worldgate.net even
though they both work fine) their response isn't too bogus.

I find:

               The discovery came about as a result
               of Microsoft proactively providing the source code to the
               fpexe program for review by the Internet community at
               large during the beta testing period of FrontPage 98.  The
               source code to the fixed version will also be available for
               review on the Microsoft FrontPage website at
               http://www.microsoft.com/frontpage/wpp/ once the fix is
               posted next week.

this funny.  Proactive security is publishing the source after release to
let people find gaping holes in it that could have been found (and I did
find them) in two seconds.  Funny, I had thought differently.  I must be
wrong.

No response (well, not that I can blame them... because there isn't
anything they can say) to their questionable code review, or lack thereof.

Re: more on frontpage 98 security

Posted by Rob Hartill <ro...@imdb.com>.

On Wed, 15 Oct 1997, Marc Slemko wrote:

> No response (well, not that I can blame them... because there isn't
> anything they can say) to their questionable code review, or lack thereof.

It's more likely they are afraid to tell you anything for fear of
having the correspondence posted and ridiculed in public.

--
Rob Hartill                              Internet Movie Database (Ltd)
http://www.moviedatabase.com/   .. a site for sore eyes.