The Server Extensions and FTP

---

Microsoft Corporation

Updated April 15, 1999

You can use the File Transfer Protocol (FTP) and the Microsoft® FrontPage® Server Extensions safely on Microsoft Internet Information Server (IIS) and on Apache servers that are running the FrontPage Apache patch (apache-fp). However, if you provide both FrontPage and FTP access on any other Web server, you must ensure that users cannot write to the executable FrontPage directory in the user's directory.

When you install the FrontPage Server Extensions, the extensions create an executable directory in the user's directory to store the FrontPage Server Extensions programs. Users who can upload files to their executable directory using FTP can also upload custom executable files that can run on the server. Under standard UNIX configurations, the Web server invokes this executable and runs it under the Web server's account. This means that the executable has permission to write to any file on the Web server, not just those files inside of the users Web.

This is a general problem with all FTP servers: you should never allow FTP uploads to any executable directory on your Web server. If you have such executable directories you must ensure that your FTP server is configured to deny uploads to them.

On the wuftp server you can deny uploads by adding lines like:

upload root_dir */_vti_* no

to your ftpaccess file (replacing root_dir with the root FTP directory of each user). If you use another FTP server, see your server documentation for instructions on restricting uploads.

This problem does not exist on IIS and apache-fp because on those Web servers any executables uploaded by a user will run as that user and have limited security privileges. You may still want to disallow uploads to the FrontPage directories on these servers if you do not want users to be allowed to add executable files to your Web server.