Insecure FrontPage extension configuration

OWASP 2013-A5 OWASP 2017-A6 CWE-16 WASC-13

An application’s Web server and application server configurations have a major role in securing the web application. There are many HTML pages that contain information about the front page extensions. This information will help the attacker to plan a successful intrusion attack to enable him to inject code into a user’s session. The attacker can also manipulate the vulnerable application to include malicious script content into the dynamic pages.

When a file is uploaded using frontpage, it will first fetch the file and upload it using POST to the web server using http://www.example.beaglesecurity.com/_vti_bin/shtml.exe/_vti_rpc. If the server binary is not password protected, an attacker can easily upload data without any issues. Frontpage keeps all its configuration files as text files and is present in the _vti_pvt directory. An attacker can view this folder via the browser and all the files and their contents.

Example

The below URL can be used to access the passwords of the web application that uses Frontpage.

http://www.example.beaglesecurity.com/_vti_pvt/administrators.pwd

Impact

The impact include:-

  • Data Breach
  • Manipulation of data
  • The attacker can get full access to the server.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Restrict the access to files in the webroot.
  • Install patch fix for fixing this vulnerability.
  • Apply the latest security updates for Frontpage.

Latest Articles