> Finally, I relied on the Front Page "Editors Choice" review in the latest
> copy of PC Magazine. I'm sure that their reviewers were aware of the
> rumored security problems with Front Page and investigated these problems
> before give it their seal of approval.
I wouldn't be sure of any such thing. I wouldn't rely on PC Mag for info
on Unix servers. You're better off in something like
comp.infosystems.www.servers.unix
> My reasons for going to bat on this program are many. We offer web site
> hosting to non-profit groups who do not have the money to spend on
> professional web page creation and design, and have no idea what FTP means.
I'm sure they are as equally unfamiliar with FrontPage at this point --
but I digress.
As I said in my first message:
If nothing else, do NOT run FrontPage and/or the web server as root as the
documentation suggests. If you do so, you might as well take the password
off the root account !
Later on, it mentions this could be a problem. It should never have been
suggested in the first place.
You are, essentially, giving this program write access to your machine.
Already, this is a bad idea.
THey even mention you should run it as root so it can reset the server.
This should NEVER be done. Ever. Already, I don't trust them to know
anything about Unix if they will suggest this.
OK, so we create the special user, so we loose some functionality -- we
can't restart the server. So this program, written by MicroSoft, which of
course tests all their software so there are no bugs in it, now has write
access to the whole web system.
At this point, it's basicly a question of trust. I trust the ftp daemon
that's been pounded on for the last 25+ years. I (and many others) have a
hard time trusting this piece of software.
One thing I didn't see addressed at all in the docs I have: Is there any
sort of user mechanism within FrontPage, to keep people form uploading
into other users sites ?
This isn't the level of detail you are looking for -- no known exploits.
I just see it as too much risk for, essentialy, a built-in FTP.
Get a licence for Ws-ftp, or one of the other free windows ftp programs
that support drag and drop -- it's just copying files. At least then you
are relying on a known security system. MS has a terrible track record
when it comes to both bugs and security. I would not off-load any part of
my security scheme to their software.
-Chris
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/