Vulnerability

    Front Page Server Extensions

Affected

    FrontPage on Cobalt RaQ2/RaQ3

Description

    Chris Adams  found following.   There is  a security  problem with
    FrontPage  extensions  on  the  Cobalt  RaQ2  and RaQ3 web hosting
    appliances.  It allows any  user on the system to  change, delete,
    or overwrite a FrontPage site.

    When a site is uploaded with FP to a RaQ2/3, all of the files  are
    owned by user "httpd" instead of a site-specific user.  The Apache
    web server is also running  as user "httpd".  Cobalt  uses cgiwrap
    to have CGIs run as the user that owns the CGI instead of "httpd",
    but  it  is  trivial  to  bypass  cgiwrap  and run scripts as user
    "httpd".

    You can bypass  cgiwrap because the  Apache config files  have the
    line  "AllowOverride  All".   All  you  have  to  do  is create an
    .htaccess file with these lines in it:

        Options +ExecCGI
        AddHandler cgi-script .cgi

    Then CGIs  in that  directory will  be run  with the  web server's
    access as user "httpd".

    This same AllowOverride setting pretty much nullifies the  "Enable
    CGI  Scripts"  and  "Enable  Server  Side Includes" options on the
    site administration config for a  web site, since CGI and  SSI can
    be  enabled  through  a  .htaccess  file even if the administrator
    disables them.

Solution

    This  is  due  to  a  permissioning  issue  with the 'httpd' user.
    Cobalt Networks completed a fix for this bug that is available  in
    tar.gz format, which can be found at the following locations:

        RaQ 3i (x86) ftp://ftp.cobaltnet.com/pub/experimental/secuirty/frontpage/fpx_patch1.tar.gz
        RaQ 2 (MIPS) ftp://ftp.cobaltnet.com/pub/experimental/secuirty/frontpage/fpx_patch1.tar.gz