[WEB4LIB] FrontPage [server extensions exploit] question

sean dreilinger sean at savvysearch.com
Wed Apr 28 14:39:56 EDT 1999


Thomas Dowling wrote:
> I'm seeing some hits in our web logs where people are trying both POSTs
> and GETs to URIs on our server named, for example, "/_vti_inf.html" and
> "/_vti_bin/shtml.exe".  I gather these URIs, if they existed, would be
> part of the Front Page server extensions.  My question is, why would
> someone be trying to access those URIs if our server does not have (and
> has never had) the FP extensions?

there are exploits to web servers running ms frontpage extensions. i
installed the frontpage extensions on unix years ago and promptly
removed them when i saw how it manipulated the web server's
configuration and unix permissions. never got into the remote frontpage
exploits but here are a few links if anyone is running frontpage server
extensions and wants to do their homework:

  http://www.insecure.org/sploits/Microsoft.frontpage.insecurities.html
 
http://www.genocide2600.com/~tattooman/rhino9-products/r9-frontpage-netbios.txt
  http://www.genocide2600.com/~tattooman/new-exploits-99/page.sh

nb microsoft may patch or fix these exploits from time to time, but i
suspect many server administrators are not clued in to monitor and
install such patches before its too late.

hth
--sean

--
mailto:sean at savvysearch.com                sean dreilinger, mlis
 http://www.savvysearch.com                http://durak.org/sean


More information about the Web4lib mailing list