> After ordering FP98 yesterday (6/12/98), my Web Host Provider informed me
> that certain FP server extensions pose a security risk and apparently are
> not supported by them. Their comments are as follows-
> "Front Page is at the nexus of many security issues when F/P extensions are
> installed on a UNIX server. The extensions are also called 'bots (robots).
> When installed they create a common F/P "pool" which is accessed by all the
> F/P users on that server. If one knew what one was doing, one could access
> someone else's website and hack it. We don't want to expose you to this
> risk.
> You may use F/P to design a web site that can be uploaded to our server but
> the extensions-related items (on-line forms, hit counter, etc.) will not
> work. You must also use another FTP client (such as cuteFTP, available for
> download at www.cuteftp.com) to upload your page to our server. Other CGI
> hit counters, etc. are available in CGI libraries on the WEB
> (www.worldwidemart.com/scripts/)."
Let me clarify what is meant by Front Page extentions. FP can be used
as a regular HTML editor just like any other HTML editor out there. All
that produces is HTML. The extentions refer to programs that can be run
by the server. These are called by FP-specific comment tags in the HTML
page. For example, if you drag in a counter from FP, the HTML will have
something like <!--webbot bot=counter color=blue style=3 and so on -->.
The FP server will read this and execute a counter program, much like an
Apache server will recognize a Server Side Include and execute the
program you wrote. So if you're looking for an HTML editor and like FP,
then by all means use it. But the server programs are a different
story.
Quote:> As a complete novice to web page authoring (which is the reason FP was
> chosen!?) and assuming that my provider's comments are valid, my questions
> are as follows:
> 1) What is the complete list of FP extensions that pose a potential
> security risk?
All of them. I will explain later.
Quote:> 2) How do I easily (?) disable these extensions and/or configure FP to
> accommodate my provider's concerns?
Just don't use the programs as described above.
Quote:> 3) In fact, should I use FP at all? Is there a more UNIX friendly WYSIWYG
> authoring tool with similar capabilities and ease of use?
I have used Front Page and have found it to be way to bizzare and
complex to do anything simple, and way too restrictive to do anything
creative. Assuming you are running Windows 95, I _highly_ recommend
using HomeSite 3.0. It can be had for $80 if you get it off the
internet (www.allaire.com). It has excelent tools and buttons for doing
all manner of web page authoring, including HTML, JavaScript, DHTML,
etc., while still remaining true to standard HTML. You will also see
the HTML you are writing, and thus quickly become familiar with HTML.
Quote:> 4) Can an FP98 page be uploaded with something like cuteFTP?
It can be saved as a regular HTML page and uploaded the same way as you
would a file you made in Notepad. But first of all, if you don't use FP
extentions or their uploader, why waste money on FP? Second, I found
their upload to be a real pain. When creating a web page, I first had
to create a "web" on my computer (I have no idea what that means). They
then had a very specific way of uploading which I never figured out.
Better to stick with standard FTP programs (although HomeSite includes
ability to publish directly to a remote location).
Quote:> Any help that can be provided (preferably by email) with respect to these
> issues will be greatly appreciated. Thank You.
Since you're probably wondering what your ISP is talking about, I'll
tell you. Microsoft is well known to be clueless about security, as
until recently they were only developing home OSes and software. A
standard Windows NT server will have way fewer services than even a home
Linux machine, because the less people can interact with the Windows
box, the less harm they can do.
The way web servers on UNIX work is that they have one main web server
running, and all the users on the system have their own accounts. From
these accounts, they can edit HTML files, run CGI programs, and do just
about anything else. The web server merely delivers the users' content
to the world. Apache (suexec) can even run all CGI programs as the user
who owns them, so no user can interfere with another. Front Page
extensions on UNIX totally break this ability. In fact, by default, all
Front Page files are created world writable. This is written on
Microsoft's web site (lost the URL). To fix this, they had to disable
all the things that make UNIX good, like full multiuser access and the
ability to run your own programs. Your ISP was most likely unwilling to
break their UNIX servers to compensate for Microsoft's incompetence, so
they do not support the extensions. You can find NT servers that
support FP extentions, but do not expect to have any direct access to
the server or to be able to run your own programs which you write or
find elsewhere.
If you have more questions, please email me.
- Ben
> bob dullea
--
Ben Sandler
email me: sandler at ymail dot yu dot edu
"Windows is an operating system, not a religion."
- Ted Waitt, chairman of Gateway
by