FrontPage 2000: What you NEED to know!
This article was written and submitted by J.C. Frazier <sttng@lonetree.com>. Thanks.
See also other FrontPage articles especially FrontPage 2000 – installing the extensions.
Resources
- Microsoft
FrontPage 2000 Server Extensions SR1.2: Downloads for UNIX-Based Servers - Installing
FrontPage Server Extensions to an Apache Web Server
The above link contains the latest tarball…
Installing FrontPage 2000: What you NEED to know!
FrontPage is a very exploited, bug ridden piece of @&@#$&software! When
I first started this great adventure into the world of MS meets FreeBSD, I had no idea
what I was getting in to. Here is the story and the instructions on what you NEED to
know!
When I started there were no FrontPage ports, only some BSDI sources that I found
on the Microsoft page and a short tutorial on FreeBSD’zine.
I followed the instructions to a tee. I myself believed that everything was
fine, however a week or so later I received complaints from customers that they could not
publish pages from their client. I checked the logs and sure enough "password
mismatch". I checked the passwords and everything was right. Hmmm… I’ll save
that kind of work for another day, I suppose.
Four days later I came back and visited Undernet’s #FreeBSD channel. I inquired
about FrontPage and if there was anyone who knew anything about it. (the documentation
that MS provides leaves a LOT to be desired, and newsgroup support is almost as good. btw,
MS charges $395/incident if you require their help). There was a nice guy that said
he knew about it and would help me in the channel. As I was sitting there at my
terminal, I started getting messages of su being used and passwords being changed. I
issued a watch on the terminal real quick and discovered someone trying to get into my
root directory and mount partitions. I disconnected him and changed the password on
the effected account as fast as I could. I then went back to the channel where there
was this "once thought to be nice" guy choking on his words trying to explain to
me he was just trying to "show me the exploits in FP and how bad it was".
Not too much comfort those many nights of work restoring my system for fear of backdoors
placed that night.
Well, eventually I found a little page called http://www.rtr.com/
where they have a discussion group dedicated to each version of FrontPage. I read
every letter and problem on the page and came to the conclusion that FP can be made to be
semi secure, however the method of installation shown in FreeBSD Zine comes no
where close. There is a patched version that definitely needs to be installed in the
source before compilation to obtain any degree of security. And, lucky for me, on
that night’s cvsup, I noticed that apache-fp ports have been made and were in use.
Pre-patched fp. Just what I needed. This time when the FP installation began
after apache’s compilation, the install script actually worked for virtual hosts, per-user
webs, and everything ran much smoother. You can chose the default on just about
every option and it more or less installs itself for you.
Afterwards I borrowed a friends copy of FP 2000 and made a test page to publish to the
server. No such luck. "password mismatch" I was paranoid so I did some
other security tests, and ran some exploits I found at http://insecure.org/.
The security was much better and the FP extensions had a lot more functionality
over the former ones I had tried in the past without success. Time to hit Undernet
and the newsgroups again.
After 3 days and 4 nights without sleep I finally came to the realization that no one
on IRC cares about FrontPage, and definitely no one that runs FreeBSD. I visited 10
networks and every #freebsd, #linux, #frontpage, #bsdi, and #unix channel that I could
find. No luck! No one’s ever had these problems (mainly because I think not
too many people use FrontPage that use unix operating systems). I got blown off or
called names in ever channel I visited, even #freebsd….and the reason I believe was the
cause of such criticism was more the fact that no one knew the answer then the fact they
actually thought the question was stupid. People tend to criticize the things they
don’t understand….anyways, back to my story. No one knew, no one cared. MS
wanted $395 to care.
I started posting to newsgroups and finally on the third newsgroup I received a reply.
Message after message poured in and I finally realized I was in the right place.
NOTE: a little off the subject I would like to compliment the subscribers of the
freebsd-isp news group. They were the most friendly and knowledgeable people I found
on this little quest of mine and they should be commended for their dedication and people
skills. ANYWAYS: I told them the problem and that I thought it had something to do
with encryption and that the passwords were fine and gave all the information about my
system and configuration. Message after message contained great information and
suggestions which I tried and then would post back to the board.
After 9 days of being in MS FrontPage world (hell) I finally figured it out, with the
help of freebsd-isp. FrontPage uses DES encryption. However the default
install and apache use md5. Even after installing the "secure" package, it
won’t work correctly. You must first install the secure source, and then change the
libcrypt() links from libscrypt() to libdescrypt(). There are four links that need
changed, by the way. After that you must recompile apache. This will make also
apache use DES encryption instead of MD5. Once this is done, you can run FrontPage
and everything should be perfect.
A few notes: once you do this, all passwords including (but not limited to your
master.passwd file) will start encrypting in DES instead of md5. However, this is of
little concern. libscrypt() only supports md5, libdescrypt() however supports not only
DES, but md5 also. Your old passwords will be fine, yet all new ones will be DES
unless you create a user with a MD5 salt ($1$xx) in /etc/master.passwd prior to making the
new user. Try it once, it’s a little interesting.
Here’s how to install DES. An easy way to get the des source, if you don’t
already have it, is to create a file like this one called secure.cvsup:
*default host=cvsup3.freebsd.org *default base=/usr *default prefix=/usr *default release=cvs tag=RELENG_3 *default delete use-rel-suffix *default compress src-secure ports-all release=cvs tag=.
Then you run: cvsup /directory/to/secure.cvsup This specific file will also sync
your ports tree.
Once you cvsup the newest source, cd /usr/src/secure/lib/libdes, then make
all install. After that has been completed you will have the des libraries,
however the correct links still need to be made.
/usr/lib/libcrypt* needs to be linked to /usr/lib/lidbescrypt*
instead of libscrypt* as the default is set up as. There are 4 files and
the commands are as shown below:
First see if the des libraries exists after your build:
ls -l /usr/lib/libdes*
Then delete the current links from MD5:
rm /usr/lib/libcrypt*
Finally add the new links to DES:
ln -s /usr/lib/libdescrypt.a /usr/lib/libcrypt.a ln -s /usr/lib/libdescrypt.so /usr/lib/libcrypt.so ln -s /usr/lib/libdescrypt.so.2 /usr/lib/libcrypt.so.2 ln -s /usr/lib/libdescrypt_p.a /usr/lib/libcrypt_p.a
After which all new passwords will be in DES, changes and old passwords will remain in
MD5. You need to rebuild apache*-fp to assure apache is in des and will
be compatible with FP.
In conclusion, I’d just like to say that FreeBSD is great. Sometimes we have
heartaches and problems…but it only teaches us more, and we learn what this whole thing
is supposed to be about. Making things work. Nine days later and I’m almost
(not quite but almost) glad that I was broken into, so that I could find some of the
problems and take care of them. FrontPage isn’t the devil it’s made out to be.
It’s making me lots of money because not too many other UNIX providers will support
it’s insecurities. If you consult those that know, and you take your time, and you
compile the patch into apache source or get the port, FrontPage can be a good experience.
Just remember, do NOT follow the instructions on FreeBSD’zine if you don’t like
rebuilding systems! And….check out http://www.rtr.com/!
Other people’s problems help us all. And not to forget the saviors of
freebsd-isp.
Salutations and thanks for everything!
J.C. Frazier sttng@lonetree.com