FreeBSD Port: frontpage-22.214.171.12423_1
jrhett at meer.net
Fri Apr 29 22:26:24 PDT 2005
On Fri, Apr 22, 2005 at 03:30:06PM -0500, Scot Hetzel wrote:
> The one difference that I know of between these two mod_frontpage
> ports, is that Improved mod_frontpage checks to see if we have been
> authenticated for the ADMIN and ADMINCGI urls. When I added these
> checks to the RTR version (change FrontPageAlias to FrontPageNeedAuth
> for the ADMIN and ADMINCGI checks in the mod_frontpage.c patches), the
> mod_frontpage module was checking for authentication before the Apache
> 2.0 server requested authentication.
Actually, it's asking for authentication for things that apache doesn't ask
for authentication on. This was broken by pathname changes in the
rtr-compiled versions of frontpage. See my patches regarding this.
> What other significant security enhancements does Improved mod_frontpage have?
improved mod_frontpage has all of the security checks that are applied to
CGIs. Last time I saw the rtr frontpage module, it was fairly easy to make
it run things it shouldn't have if someone left directory permissions too
I haven't compared them side by side in a while, and perhaps I should do
that before speaking further.
More information about the freebsd-ports