FrontPage Server Extensions Remediation Resources
There are a number of issues with FrontPage Server Extensions. This page primarily addresses permission vulnerabilities.
From Xforce at ISS:
- FrontPage Server Extensions Improper Permissions, http://xforce.iss.net/static/3682.php
Improper permissions on certain files installed by Microsoft FrontPage Server Extensions leaves a Web site open to defacement.
From SecuriTeam:
- Windows 95/98 FrontPage extension security vulnerability, http://www.securiteam.com/exploits/2ZUQFQKQ0M.html
"Windows 95 and Windows 98's FrontPage extension contains a security vulnerability that allows the reading of files from directories above the default web server directory."
BACKGROUND INFORMATION
From SecurityFocus:
- "Some past FrontPage exploits," http://www.securityfocus.com/archive/1/9100
"4. I saw a post today I believe about someone being able to connect to a server with frontpage server extensions and being able to alter the page without any password. The reason you can do this is the NT everyone group. Its very common that a server with, NT4.0 server, IIS3.0 and frontpage server extensions installed, you can alter their webpage via frontpage because the everyone group is on the computer and it drops you right in. That shouldnt be too hard to understand. Note: Right after installation of frontpage server extensions on a NT4.0 IIS3.0 box it addes the everyone group to have access to the server via frontpage explorer etc."
From Webmaschine:
A very good discussion of "FrontPage Security on IIS Systems" can be found at:
- http://www.webmaschine.at/support/pw/p/fpadmin/ (click the security tab) or
http://www.webmaschine.at/support/pw/p/fpadmin/security.htm