[plug] multi-file find & replace

Leon Brooks leonb at leonsbox.smileys.net
Tue Oct 27 09:48:27 WST 1998



On Sat, 24 Oct 1998, Greg Mildenhall wrote:
> > Another issue is Frontpage extensions.  This is supposed to allow Apache
> > to handle "bots", one of which is the means of assigning URLs to
> > polygons on a graphic.  
> 10 to 1 there's a security hole in that 'bot' that will allow anyone
> with a browser to gain access to the system as whatever user the webserver
> is running as.

Ummm, root.

> > I wonder if the Frontpage extensions will fix the htm/html thing too?
> Unlikely - unless it edits your mime.types, which is altogether possible,
> but undesirable.

> <rant>
> AFAIK, the so-called extensions are comprised of a daemon which frontpage
> can connect to in order to upload pages using its standard protocol,
> (well, not standard, but standard for frontpage) and some CGI binaries
> that frontpage knows how to use.

No daemon, just some _HUGE_ CGIs. Until version 3, you had to have a real
copy of each of these (approx 2M) binaries in _every_web_. Worse, each of
the three binaries (total of about 6M per web) are nearly (in some
versions exactly) identical.

> I'm unconvinced of the merits of either
> of these - the former because frontpage could easily be programmed to
> behave like any other web-editor, and the latter because running CGIs to
> which you do not have the source code is a patently stupid thing to do if 
> security is of any importance to you.
> </rant>

Agree. I'm going to let the NT box do that, because that box is officially
Not My Problem(tm).

Cheers!




More information about the plug mailing list