Password problem in FrontPage 98

Dave Pifke (dave@VICTIM.COM)
Fri, 09 Jan 1998 14:52:52 -0800

The Microsoft FrontPage server extensions store their configuration files
underneath the document root for the web server. In a multi-user
configuration (i.e. an ISP), this is typically the public_html
subdirectory of a user's home.

One of the directories it creates for configuration information is
'_vti_pvt', in which it creates a file 'service.pwd' containing
username:cryptpw, one line per user.

_vti_pvt is created 0775 and service.pwd is created 0664. Removing
group-write or world-read permissions breaks the extensions (you can no
longer log in).

The world-read setting is bad (let's hope most users don't use the same
login password as they do for FrontPage, sigh), and the group-write is
even worse (again I point to the typical ISP setup). Since the cgi-bin
programs execute setuid to the user the extensions belong to, there is no
reason for them to be set this way. I have a feeling Microsoft is simply
sloppy in their use of open() flags. (they had a problem with needing
httpd.conf to be world-writable(!) that just recently got fixed)

I don't know the other implications of having _vti_pvt (and the other
config files it contains) group-writable. Because the software is setuid,
it is quite possible that there's a way to compromise the accounts of
anyone using FrontPage.

This was tested against the latest version (3.0.2.1117) on an Apache
server under Solaris.

Basic understanding of UNIX file permissions should be a prerequisite to
shoving software down ISPs' throats.

--
Dave Pifke, dave@victim.com