How can I definitely Disable Frontpage extensions?

[Kent Brockman]

Hi. I know I can uninstall Frontpage extensions, but at this moment I NEED to definitely avoid them to be installed or reinstalled, even prevent resellers of being able to install Frontpage extensions to his customers' accounts.
An entry in the Tweak Settings, the same way you can enable/disable webmail, horde, roundcube, you should also be able to definitely hide Frontpage extensions.

May this be done in some way or should I request this functionality via bugzilla?

Thanks!

 

[Spiral]

Why in the world would you make a report to bugzilla? :D

Log into WHM

Go into "Feature Manager" and edit your "disabled" feature list

Uncheck "Frontpage" and then save the list!

That's it! Frontpage will be totally disabled system wide and nobody
can use it and it cannot be re-added by anyone including resellers
other than you going back in as root and turning it back on in the
disabled feature list.

Your "disabled" feature list is a special list that lets you disable any feature
on a server wide basis for all accounts, all users, and all resellers. Other
features you might want to consider disabling for security would include
"crontab" and "SSH Connection Window"

 

[Kent Brockman]

@Spiral: hi, Sorry me for the rush but I forgot to mention that I have Apache already compiled without Frontpage extensions. Although, the resellers are able to activate Frontpage extensions when they create accounts without setting a hosting package! Due to the hosting plans we offer, I cannot force them to use hosting packages, but in despite of this, they shouldn't be able to activate Frontpage

I compiled Apache without Frontpage on last June, but people not using packages are able to activate Frontpage! Why in the world are they able to activate Frontpage if I compiled Apache without it? is this a bug?

Here is a cPanel 11.24.4-S36281 - WHM 11.24.2 - X 3.9 on a CENTOS 4.7 i686 under Virtuozzo. Apache 2.2. dual PHP 4+5.

Any ideas? submit this as bug?

 

[Silver_2000]

If you compiled Apache with no Frontpage extensions then the checkbox in Cpanel can be ignored. Its been years but I think Frontpage does allow FTP access for file uploads. They just wouldnt be able to use the insecure Frontpage extensions.

BUT its pest to take Spirals advice and remove the icon/checkbox so that customers dont ask the question why the extensions dont work

 

[Kent Brockman]

Yep. Indeed, disabling Frontpage at Feature Manager works fine for all the configured packages. BUT those resellers who don't use packages are able to activate Frontpage. So, again: is this a bug? how to definitely disable it?

 

[Silver_2000]

they are not activating anything if you removed it from apache

the check box may be there but its not recompiling apache

 

[Kent Brockman]

Although, the vti_bin folders and the htaccess instructions are being installed! Can you explain that with other than a bug?

 

[Kent Brockman]

Well, I think it's worthy an entry at bugzilla, so I'll post it.

In this scenario, after you have created the account, and the vti_bin folders are set, you can of course uninstall Frontpage with the options at WHM, but it shouldn't be activated from the start!

 

[Silver_2000]

you are right
the install script still craps up the public_html folder
That sucks
I dont have a copy of frontpage to test the client

Its likely tough for WHM to know if apache is installed with the extensions

It would be nice to be able to remove it entirely since MS stopped fixing security issues in it and the extensions many years ago

my comments were purely from the server perspective and teh security issues around running the extensions

 

[chirpy]

Well, I think it's worthy an entry at bugzilla, so I'll post it.

In this scenario, after you have created the account, and the vti_bin folders are set, you can of course uninstall Frontpage with the options at WHM, but it shouldn't be activated from the start!

Certainly sounds like a bug to me and is probably just an oversight as cPanel can determine if FP was compiled in or not.

 

[Kent Brockman]

Certainly sounds like a bug to me and is probably just an oversight as cPanel can determine if FP was compiled in or not.

Certainly it is a bug, and you Chirpy already know very well about this kind of security issues.

Read and vote my request to resolve this bug:
Bug 9429 - Frontpage extensions available if you don't set a package

Leaving Frontpage activated by error/default with no attention or security measures is a security hole that may or may not compromise the whole server, it's an open door for script kiddies and bots. And this reasonable doubt is the major reason to patch this issue.

Regards.

 

[MaraBlue]

Voted for it as a bug. This has been a problem for years, and really needs to be addressed.

 

[Silver_2000]

to clarify

assuming that apache is compiled without the extension support - is the issue of the account having the vti folders etc. a security issue ?

 

[Kent Brockman]

to clarify

assuming that apache is compiled without the extension support - is the issue of the account having the vti folders etc. a security issue ?

Yes, it is. As said, I compiled Apache without FP support but cPanel is still putting the vti folders and the .htaccess instructions. if you create an account without assigning a package to it. This is being seen on cPanel 11.24.4-S36281.

 

[Silver_2000]

Yes, it is. As said, I compiled Apache without FP support but cPanel is still putting the vti folders and the .htaccess instructions. if you create an account without assigning a package to it. This is being seen on cPanel 11.24.4-S36281.

the vti folders are all empty except for the htaccess file which points to the frontpage password file -

vti_pvt contains the password file and about 15 other files

Im not an expert - what is the risk of these files ?
'with no extensions running in apache what risk to the rest of the server do these files create ?

 

[Kent Brockman]

the vti folders are all empty except for the htaccess file which points to the frontpage password file -

vti_pvt contains the password file and about 15 other files

Im not an expert - what is the risk of these files ?
'with no extensions running in apache what risk to the rest of the server do these files create ?

Well, in despite of the expertise or not, and in despite that the access information in those folders is useless without the FP extensions, if you didn't compiled FP support with Apache, those folders have nothing to do there: cPanel shouldn't have created it from the start when you create the account. This issue may or may not be a security hole, but you know, Devil is in the details. So, patching this issue is a recomended action.

 

[Silver_2000]

I agree that it should be possible to prevent the appearance of the install of FP if for no other reason that to set expectations with customer and keep support questions to a minimum

housekeeping issues no doubt

But Im most concerned abut the FP security issues

which was my original question - are these files a security risk to the rest of the server ?

 

[Kent Brockman]

I agree that it should be possible to prevent the appearance of the install of FP if for no other reason that to set expectations with customer and keep support questions to a minimum

housekeeping issues no doubt

But Im most concerned abut the FP security issues

which was my original question - are these files a security risk to the rest of the server ?

The install sets several config files in the root of the account. I'm not an expert on Frontpage, that's why I say that this may or may not be a security hole. BTW, cleaning this will minimize customer questions about why FP appear to be installed in their accounts although its folders are completely useless.

 

[Kent Brockman]

Sorry to bump the thread, but today I found that this is still an issue. May anybody at cPanel assign this issue a Case number?

 

[Infopro]

Why would you create an account without a package? The idea of the packages it to limit / disable certain features, right?

Would you mind laying out the steps to reproduce this and I'll give it a try here to see if I can duplicate the issue.