Frontpage Server Extensions Vuln Help
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Frontpage Server Extensions Vuln Help

  1. #1
    Junior Member
    Join Date
    Jun 2003
    Posts
    26

    Frontpage Server Extensions Vuln Help

    know its vulnreble... some password files lieng there you can grab... what passwords?

    remote login and authoring without a login and password to frontpage??? or what?


    and for what scans frontpage.pl by bansh33 of r00tabega ?

    coz it found this thingy on my iis, so i would like to read more about the vuln in bugtrq/security focus etc or any other source that i could understand what are the riscks and how patch and stuff.

  2. #2
    Senior Member
    Join Date
    Feb 2003
    Posts
    109
    what version of IIS and Frontpage extensions are you running? If you have all of the patches from Windows Update, you should not be vunerable to any authentication or directory traversal attacks.
    $person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
    SecureVision

  3. #3
    If you are worried about Front Page Extension vulnerabilities, check out Microsoft for patches or keep an eye out for new sploits that crop up.

    A good place to go is http://www.securityfocus.com/microsoft

    I wish you the best of luck in this matter; however, you are not very clear in your inquiry. Please reiterate the question if possible.

    Jack

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    The passwords that can get grabbed are the FrontPage administrator passwords for making changes too or even building a web site. This can be done remotly. In un-patched versions no user name or password is required if none have been entered.

    IIS FrontPage extensions are installed by default so even if one is wise enough not to use front page to build the site the extensions may still allow someone using FrontPage remotely to do anything they want to your site.

    A friend of mine built a site with dream weaver. He asked me to check the security on it. The first thing I did was open it in FrontPage. The login box came up and I hit enter without filling it in. So I renamed his index page and put one of my own in and saved the changes. He was rather embarrassed and I was sorry after I did it for acting like an ass instead of just telling him. but at least the whole world and the boss didn’t see it.

    Passwords (sometimes) and the local drive and path to the web directory can be read with an html GET request to the correct file.

    Frontpage.pl takes a list of servers, previously gotten by scanning an IP range for port 80 then loops through threw them looking for IIS servers that are un-patched. It doesn’t attempt to hack into them just tells you which ones they are. If you apply the patches (old ones at that) it will close these holes but chances are if your server was un-patched for these 2, your probably open to the Unicode exploit. More than likely your computer has been owned by a few others. And more than likely has a Trojan or two feeling quite at home there. You might find some full-length movies in rar file format buried deep in the winnt directory or some porn and some warez if your on broadband.

    If I were you Id download the latest service pack for your machine burn them onto cd, format re-install, then apply the service pack before I reconnected the machine to the internet. Then go and get any hot fixes that weren’t on it, from the ms update site.

    another site to check is http://www.packetstormsecurity.org/
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Junior Member
    Join Date
    Jun 2003
    Posts
    26
    lol Tedob1
    my i installed the iis on my win2k just for security seasons i test on it vulns and bugs to learn more about them.

    i got iis 5 on win2k sp2 (yeah sp4 is out but im on 56k so i will keep for a while with sp2)
    and i didnt patched anything

    my iis is always down and only when i wanna test something i run it
    and i was almost owned once from israelian dude from the same isp as i do
    he used tftp (forgot to delete it) and he was upping some trojan so my antivirus notified my...
    i just formatted then and didnt installed firewall yet... well i noticed my 56k being extremly slow the hacker fed up upping the files becouse my conection was so slow
    well to bad for him...

    and i know how pubstro hacking works... 99% only knows iis unicode\decode and they use tftp... usually with servu named servudaemon... i would notice if i had such thing im not a wanna be sysop...

    now about frontpage... will see with the blank login
    wonder for what the frontpage.pl perl script looks for (what file?)


    last thing, not really conected but if you kinda mentioned it in unicode/decode if i wanna echo the "=" (i was bored once and tried echo some nonse spam) character how i do it? becouse it didnt worked for me on my server

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    this is the string frontpage.pl sends:

    send(CLIENT,"GET /_vti_inf.html HTTP/1.0\n\n",0);

    but the file thats needed is service.pwd

    try %3D or %3D% not sure

    servudeamon is standard ftp not trivial but your right you would see it amoung the proceses running. your first post gave no indication of what you knew
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  7. #7
    Junior Member
    Join Date
    Jun 2003
    Posts
    26
    yeah you will see servu running but usually hackers will change his name to some system process to be unnoticed the favourite is winmgmt... why? becouse there is a tutorial about hacking iis andd it sais to change your servu to this name... well some idiot script kiddies got typos and call it winmgNt...

    anyway i will noticed that something wrong becouse my 56k would get even slower

    anyway i got _vti_inf.html but didnt found service.pwd
    also tried that blank login but it wasnt succesful due to the fact that i couldnt find in ms frontpage 2000 somwhere something that conected to remote authoring...

    you said you modified your friends main page well can you tell me please where is this option is hiding?

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    did the tut mention how to keep the icon from showing up in systray...now thats funny...i wonder what that big green U is?


    its "open web" but in IE its an icon on the tool bar which automatically opens the web page in the default editor
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    Junior Member
    Join Date
    Jun 2003
    Posts
    26
    hmmm the green U is of the servu administrator program (versions above 2.5x)
    in versions below 3.0 there is a green U but you can hide it with the /h parameter.

    anyway to the point... in IE i got only edit with notepad,excel and word...
    when i do open web it opens my local computer, but it suposed to be remote... so i want to open it as localhost 127.0.0.1 and not simply a file from the hard disk. am i wrong?

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    that wasn't really a question. ive seen it get installed with the icon in the task tray. i thought it was funny

    but anyway go to tool>>programs and select it as your html editor
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •