DOSAM II
17/12/07
DOSAM II
Dangers of using Outdated Software and Misconfigurations II
Yes, it’s finally here. I’m extremely sorry for the lack of updates. I had been really really busy. Before I continue with this post, let me first congratulate smyl for being a daddy! Good luck man. =)
So, let’s get started. Who doesn’t know what’s FrontPage, say I!
No one? Everyone knows what’s FrontPage? There! I see a hand!
Right - FrontPage, for those who are still in the dark, is a WYSIWYG HTML editor made by Microsoft. Throughout the years, it has had many many many vulnerabilities discovered - /_vti_pvt/administrators.pwd, /_vti_pvt/authors.pwd, etc. files being accessible by unprivileged web users, /_vti_cnf showing full directory listings, /_vti_pvt is chmod 777, etc, etc, etc, etc.
Those are old vulnerabilities. Some of them might even exist now, I don’t know. But today’s post will cover a method of “hacking” FP-managed sites with just Google.
You can remotely administer the FrontPage Server Extensions from any computer connected to the Internet by using the FrontPage Server Extensions HTML Administration Forms, a set of Web pages that allow you to administer the FrontPage Server Extensions remotely. By FrontPage Server Extensions HTML Administration Forms, I mean this -
Putting into Google, a search string such as -
inurl:fpadmin.htm
will yield many results.
http://hp.vector.co.jp/authors/VA005861/fpadmin.htm
http://www.champlainfarms.com/Forms/OFFICE2000/PFILES/COMMON/MSSHARED/WEBSRVEX/40/ADMCGI/FPADMIN.HTM
http://www.dapra.com/fp2k/fpadmin.htm
http://www.eurotraditions.com/Program%20Files/Common%20Files/Microsoft%20Shared/web%20server%20extensions/40/admcgi/FPADMIN.HTM
http://www.sxgtj.gov.cn/wjxz/%E6%96%87%E6%A1%A3%E5%A4%84%E7%90%86/Office2000/Office2000/PFILES/COMMON/MSSHARED/WEBSRVEX/40/ADMISAPI/FPADMIN.HTM
http://www.rec.mbu.ac.th/theeraphat/download/Program_setup/OFFICE2000Thai/PFILES/COMMON/MSSHARED/WEBSRVEX/40/ADMCGI/FPADMIN.HTM
etc.
Now, the thing is, because of the security implications of making remote FrontPage administration possible from Web browsers, the HTML Administration Forms are not active when they are first installed. The only reason why you are able to access the sites above is because the users enabled them in the first place. Perhaps they need it for some reason or another. But the least they could do is to protect the page.
How would you go about doing that? The first and easiest method that comes to mind is to use .htaccess. Don’t know how to use it? Read the comprehensive guide to .htaccess. It’s a great read and will teach you many things about .htaccess. Enable password protection on the directory and normal web users will not be able to access the page. Also, remember to use secure username / password combinations.
I’ll be back with more soon!
Trackback address for this post:
http://altblog.searix.net/comtrack/trackback.php/63
Comments, Trackbacks, Pingbacks:
No Comments/Trackbacks/Pingbacks for this post yet...
This post has 3 feedbacks awaiting moderation...
Leave a comment:
Alt3rn4tiv3's Tech Blog
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| << < | > >> | |||||
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |
Search
Categories
- All
- Challenge Sites (6)
- Contests (7)
- Cool Stuff (13)
- General / Random (13)
- Hacks (16)
- News (2)
- PayPerPost (2)
- Reviews (15)
- Gadgets (0)
- Web Hosting (2)
- Websites (12)
- Security (10)
- Software (2)
Archives
- July 2008 (2)
- May 2008 (1)
- March 2008 (4)
- January 2008 (5)
- December 2007 (10)
- November 2007 (8)
- October 2007 (19)
- September 2007 (3)
- August 2007 (3)
- July 2007 (1)
- More...
Misc
XML FeedsLinks
Who's Online?
- Guest Users: 6
Google Ads
Other Ads
PayPerPost
