The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How can I definitely Disable Frontpage extensions?

Discussion in 'E-mail Discussions' started by Kent Brockman, Jul 20, 2009.

  1. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi. I know I can uninstall Frontpage extensions, but at this moment I NEED to definitely avoid them to be installed or reinstalled, even prevent resellers of being able to install Frontpage extensions to his customers' accounts.
    An entry in the Tweak Settings, the same way you can enable/disable webmail, horde, roundcube, you should also be able to definitely hide Frontpage extensions.

    May this be done in some way or should I request this functionality via bugzilla?

    Thanks!
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Why in the world would you make a report to bugzilla? :D

    Log into WHM

    Go into "Feature Manager" and edit your "disabled" feature list

    Uncheck "Frontpage" and then save the list!

    That's it! Frontpage will be totally disabled system wide and nobody
    can use it and it cannot be re-added by anyone including resellers
    other than you going back in as root and turning it back on in the
    disabled feature list.

    Your "disabled" feature list is a special list that lets you disable any feature
    on a server wide basis for all accounts, all users, and all resellers. Other
    features you might want to consider disabling for security would include
    "crontab" and "SSH Connection Window"
     
    #2 Spiral, Jul 20, 2009
    Last edited: Jul 20, 2009
  3. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    @Spiral: hi, Sorry me for the rush but I forgot to mention that I have Apache already compiled without Frontpage extensions. Although, the resellers are able to activate Frontpage extensions when they create accounts without setting a hosting package! Due to the hosting plans we offer, I cannot force them to use hosting packages, but in despite of this, they shouldn't be able to activate Frontpage :eek:

    I compiled Apache without Frontpage on last June, but people not using packages are able to activate Frontpage! Why in the world are they able to activate Frontpage if I compiled Apache without it? is this a bug?

    Here is a cPanel 11.24.4-S36281 - WHM 11.24.2 - X 3.9 on a CENTOS 4.7 i686 under Virtuozzo. Apache 2.2. dual PHP 4+5.

    Any ideas? submit this as bug?
     
  4. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    If you compiled Apache with no Frontpage extensions then the checkbox in Cpanel can be ignored. Its been years but I think Frontpage does allow FTP access for file uploads. They just wouldnt be able to use the insecure Frontpage extensions.

    BUT its pest to take Spirals advice and remove the icon/checkbox so that customers dont ask the question why the extensions dont work
     
  5. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yep. Indeed, disabling Frontpage at Feature Manager works fine for all the configured packages. BUT those resellers who don't use packages are able to activate Frontpage. So, again: is this a bug? how to definitely disable it?
     
  6. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    they are not activating anything if you removed it from apache

    the check box may be there but its not recompiling apache
     
  7. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Although, the vti_bin folders and the htaccess instructions are being installed! Can you explain that with other than a bug?
     
  8. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Well, I think it's worthy an entry at bugzilla, so I'll post it.

    In this scenario, after you have created the account, and the vti_bin folders are set, you can of course uninstall Frontpage with the options at WHM, but it shouldn't be activated from the start!
     
  9. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    you are right
    the install script still craps up the public_html folder
    That sucks
    I dont have a copy of frontpage to test the client

    Its likely tough for WHM to know if apache is installed with the extensions

    It would be nice to be able to remove it entirely since MS stopped fixing security issues in it and the extensions many years ago

    my comments were purely from the server perspective and teh security issues around running the extensions
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Certainly sounds like a bug to me and is probably just an oversight as cPanel can determine if FP was compiled in or not.
     
  11. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Certainly it is a bug, and you Chirpy already know very well about this kind of security issues.

    Read and vote my request to resolve this bug:
    Bug 9429 - Frontpage extensions available if you don't set a package

    Leaving Frontpage activated by error/default with no attention or security measures is a security hole that may or may not compromise the whole server, it's an open door for script kiddies and bots. And this reasonable doubt is the major reason to patch this issue.

    Regards.
     
  12. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    Voted for it as a bug. This has been a problem for years, and really needs to be addressed.
     
  13. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    to clarify

    assuming that apache is compiled without the extension support - is the issue of the account having the vti folders etc. a security issue ?
     
  14. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yes, it is. As said, I compiled Apache without FP support but cPanel is still putting the vti folders and the .htaccess instructions. if you create an account without assigning a package to it. This is being seen on cPanel 11.24.4-S36281.
     
  15. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    the vti folders are all empty except for the htaccess file which points to the frontpage password file -

    vti_pvt contains the password file and about 15 other files

    Im not an expert - what is the risk of these files ?
    'with no extensions running in apache what risk to the rest of the server do these files create ?
     
  16. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Well, in despite of the expertise or not, and in despite that the access information in those folders is useless without the FP extensions, if you didn't compiled FP support with Apache, those folders have nothing to do there: cPanel shouldn't have created it from the start when you create the account. This issue may or may not be a security hole, but you know, Devil is in the details. So, patching this issue is a recomended action.
     
  17. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    I agree that it should be possible to prevent the appearance of the install of FP if for no other reason that to set expectations with customer and keep support questions to a minimum

    housekeeping issues no doubt

    But Im most concerned abut the FP security issues

    which was my original question - are these files a security risk to the rest of the server ?
     
  18. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    The install sets several config files in the root of the account. I'm not an expert on Frontpage, that's why I say that this may or may not be a security hole. BTW, cleaning this will minimize customer questions about why FP appear to be installed in their accounts although its folders are completely useless.
     
  19. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sorry to bump the thread, but today I found that this is still an issue. May anybody at cPanel assign this issue a Case number?
     
  20. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Why would you create an account without a package? The idea of the packages it to limit / disable certain features, right?

    Would you mind laying out the steps to reproduce this and I'll give it a try here to see if I can duplicate the issue.
     
Loading...

Share This Page