Security Implications of Microsoft FrontPage Server Extensions

General Security Concerns

On UNIX, all CGI programs invoked by the same web server share the same user account. If you have multiple authors then a CGI script created by an author has the same privileges as a CGI script created by any other author. This is a problem with any web server. It is exacerbated by FrontPage because the FrontPage Server Extensions, which are CGI scripts, require write access to the web content. An author that cannot modify another author's content directly can still create a CGI script that modifies the content.

If you do not trust your authors not to circumvent security in this way then you have two options:

  1. Do not allow them to create CGI scripts. You can enforce this with the NoExecutableCgiUploads server configuration parameter.
  2. Setuid the FrontPage extensions for each author to run as that author. The FrontPage Web Presence Provider Kit is designed to support this configuration.

Some FrontPage Client operations, such as dividing the web content into separately administered subwebs, when performed on some web servers, such as NCSA and Apache, require that the web server's configuration files be modified. Again, providing this access to FrontPage also provides it to other CGI programs. You can restrict this access by disabling the creation of CGI scripts or by using the Web Presence Provider Kit. You can also simply restrict access to the web server configuration files. This will cause any operation that requires access to those files to fail.

Specific Security Threats

If not properly configured, the FrontPage Server Extensions could, in a few ways, weaken your system's security. Please read this section and take whatever steps are appropriate for your user community. Some preventive steps involve turning off certain features of the FrontPage Server Extensions; these configuration parameters are described elsewhere.

Threat:
FrontPage allows the users to upload executable CGI scripts. These may take advantage of flaws in your system security.
Prevention:
Turn off the ability to save to executable CGI scripts with the NoExecutableCgiUploads server configuration parameter.
Threat:
If you run the HTTP server as root, and if you allow FrontPage users to upload arbitrary CGI scripts, users can eventually get root privileges by subverting the web server configuration files.
Prevention:
Turn off the ability to save to executable CGI scripts with the NoExecutableCgiUploads server configuration parameter. Also, protect the HTTP server's configuration files and configuration file directory so that the FrontPage user has no write access. Note: You'll have to temporarily make the configuration files and directory writable when you want to use FrontPage to create new subwebs.
Threat:
Authors can upload arbitrary shell scripts which can affect all webs under your HTTP server.
Prevention:
Turn off the ability to save to executable CGI scripts with the NoExecutableCgiUploads server configuration parameter.
Threat:
If you run the HTTP server as root and you choose an insecure umask (one with world write access or one with group write access where some users are members of the group), users can replace FrontPage Server Extensions with arbitrary shell scripts executables that will be run with root privileges.
Prevention:
Choose and set a secure umask before installing the executables and running the HTTP server.
Threat:
FrontPage's Save Results WebBot component can allow the user to save form results into a file named by a file path. This may allow users to take advantage of flaws in your system security.
Prevention:
Turn off the ability to save to file system paths in the Save Results WebBot component with the NoSaveResultsToAbsoluteFile server configuration parameter.
Threat:
FrontPage's Save Results WebBot components can allow the user to pipe form results into an arbitrary program. This may allow users to take advantage of flaws in your system security.
Prevention:
Turn off the ability to pipe the Save Results WebBot component output to programs or specify a restricted list of programs with the SaveResultsPipeToAllows server configuration parameter.