Microsoft FrontPage Vulnerabilities

Impact

A remote attacker could take control of the web site, and possibly the system as well.

Background

Web servers which include Microsoft FrontPage Server Extensions have special accounts to authenticate web server administrators, web page authors, and web site visitors. The account names and encrypted passwords are stored in FrontPage password files in the /_vti_pvt directory. The password files are named service.pwd on Microsoft web servers, and in administrators.pwd, authors.pwd, and users.pwd on Netscape web servers.

The Problem

The FrontPage password file(s) indicated on the previous screen, next to the link to this tutorial, are readable by an unprivileged web user. An attacker could crack the encrypted passwords and gain unauthorized access to the web site. If any users' FrontPage passwords are the same as their system passwords, the system could be compromised as well.

Resolutions

Set the permissions on the FrontPage password file(s) to be more restrictive. The exact permissions which should be used are not specified. Use the most restrictive permissions possible without denying access to legitimate users.

On Windows NT systems:

  1. Find the file in Windows Explorer
  2. Click on the file with the right mouse button
  3. Select Properties
  4. Click on the Security Tab
  5. Click on the Permissions button
  6. Change or remove permissions on the file as necessary.
On Unix systems:

Use the chmod command.

Where can I read more about this?

See the Rhino 9 Advisory for more information about this vulnerability. More details about FrontPage password files can be found in a Web Workshop from Microsoft.