Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft FrontPage Extensions Site Defacement

From: Juan B <juanbabi () yahoo com>
Date: Sat, 8 Mar 2008 21:23:14 -0800 (PST)
Hi All,

for a client I am doing a pt on his web site.
with a volunerability scanner i found frot page
extanions enabled.

the scanner reports:

Security Risk
It is possible to upload, modify or delete web pages,
scripts and files on the web server


Possible Causes
Improper permissions/ACLs were set to file/directory


Technical Description
FrontPage defines three kinds of users for every
FrontPage web: administrators, authors and browsers
(end-users). All permissions are cumulative; all
authors also have browsing permission, and all
administrators also have authoring and browsing
permissions. In FrontPage, the list of administrators,
authors and browsers is defined on a per-web basis.
All content in a FrontPage web will be accessible to
the same set of users and groups. It is not possible
to control permissions on a per-file or per-directory
basis with FrontPage. All FrontPage sub-webs either
inherit the permissions (list of administrators,
authors and browsers) of the FrontPage root web or use
their own, unique permissions. Each FrontPage web
(including each sub-web) contains copies of three
ISAPI DLLs that make up the FrontPage Sever
Extensions. These DLLs are created in directories
below the top-level directory of a FrontPage web: 
[1] _vti_bin/_vti_adm/admin.dll for administrative
tasks 
[2] _vti_bin/_vti_aut/author.dll for authoring
FrontPage webs 
[3] _vti_bin/shtml.dll for browse-time FrontPage
components such as form handlers. 

These files must be set with restrictive permissions
in order not to allow site defacement, since the files
can be used to modify the web content remotely. 


this is what the scanner send:
GET /_vti_bin/_vti_aut/author.exe HTTP/1.0
Cookie: ASP.NET_SessionId=nenizo45ytkot245dfgcaq45
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows
NT 5.0)
Host: www.cimmyt.org


does someone knows how can I exploit this or where I
can find an working exploit?

Thanks a lot!

Juan





      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: