FrontPage security

• To: Jacques Delsemme <jacques@cats.UCSC.EDU>
• Subject: Re: www2 upgrade
• From: Paul Tatarsky <tatar@cats.UCSC.EDU>
• Date: Mon, 30 Aug 1999 08:37:33 -0700
• cc: buhrow@cats.UCSC.EDU (Brian Buhrow), mcclark@cats.UCSC.EDU, jar@cats.UCSC.EDU, ericg@cats.UCSC.EDU, tatar@cats.UCSC.EDU, tatar@tiger.ucsc.edu
• In-reply-to: Your message of "Thu, 26 Aug 1999 17:48:02 PDT." <199908270048.RAA15199@meow.UCSC.EDU>

> I'd welcome Paul's expertise in reviewing the security of the 
> FrontPage Extensions, and determine whether they pose an acceptable risk.

Ah and like all security issues, risk is better defined by what you 
are protecting. What web pages will this be used for? I assume all of
www2. Whats the risk of some page on www2 being replaced with
"Free Kevin Mitnick"? I imagine its fairly low.

Since from the look of it FrontPage is a glorified "PUT" method, with
an ACL system on top of the other ACL systems, I would say FrontPage
is as _network_ layer secure as any other cleartext access protocol to 
access the web pages (telnet, ftp, etc.) Sniffers will see username/passwords
from the sound of it, with some hash method used to keep the passwords
somewhat safer.

Of course, by running a SSL protected web server (which is rather easy
with Apache) you could encrypt the HTTP streams in their entirety and
not worry about the over the net packet content, including FrontPage
usernames and passwords.

Then, on the host side, I'd like to know more about this statement:

> The FrontPage Apache module, which intercepts requests from the
> FrontPage client to the FrontPage Server Extensions executable
> files, performs security checks, and redirects the request to the
> fpexe stub program which is set to SUID root. By intercepting each
> request within the server itself, no script alias is required.  The
> fpexe program, which accepts authoring requests from the FrontPage
> Apache module, performs additional security validation, changes the
> user ID of the Web server process to the owner of the
> FrontPage-extended web being authored, and then invokes the central
> copy of FrontPage Server Extensions executable files.

Thats not a trivial operation in AFS, right Brian?

I'm also a little concerned about adding "yet another username/password" 
pair to peoples existence. The more people have, the more likely they are
to start synchronizing them or worse, sticking them on the monitor.

This module is Microsoft developed which they apparently unlike most
of their products release the source for review. Thats good.

Thats all can I think of. Road testing it out would be much more
interesting, and I'm happy to help anyway I can.

--------------------------------------------------------------------
Paul Tatarsky                            tatar@cats.ucsc.edu
UC Santa Cruz                            (831) 459-5438
Network Security Manager            FAX  (831) 459-5333
             http://www2.ucsc.edu/cats/nts/security
--------------------------------------------------------------------