FrontPage Security Hole
Fix for significant security concern fix must be installed
ITINFO SponsorITrain - International Association of Information Technology TrainersThe professional association offering online resources to Information Technology trainers, including discounts on certified software learning guides. Membership open to individuals, training companies, and vendors of related products and services. "An especially highly-recommended way to stay current [as a computer trainer] is to join ITrain, the International Association of Information Technology Trainers." "ITrain.org has been selected as one of the best educational resources on the web." |
|
MS Quietly Fixes Serious Bugs in FrontPage Server Extensions
by Dave MurphyISSN 1535-3613
Microsoft has quietly plugged a security hole in FrontPage Server Extensions. In version 1.2, the hole is fixed.
The security hole made it a simple matter to direct a denial-of-service (DoS) attack against a website that employs FrontPage extensions.
The fix is good. The way it was released is bad. In my judgment, Microsoft should openly report the FrontPage Extensions fix so that as many webmasters as possible will install the update. Heck, I haven't talked to any webmasters that were even aware of the hole. It seems to me that Microsoft is trying to hide the hole by not talking about it or talking about the fix.
I didn't even see an MS security advisory on the issue, which was first discovered on July 5th.
It's significant because a DoS attack can cripple a webserver and bring the site effectively offline.
The hole allows access to back-end site functions. To exploit the hole, the cracker must request a URL through the shtml.exe component of the FrontPage Server Extensions. The requested URL must include a DOS device name followed with the .htm extension, such as http://www.bubba.com/_vti_bin/shtml.exe/com1.htm.
When this type of URL is sent to the server, all FrontPage operations will be disabled for that site. Services such as web authoring, web administration, webfolders, InterDev, and webbot operations will be blocked.
By exploiting this hole, crackers could disable a commercial e-commerce site, lock employees out of an intranet site. Even access to confidential client transaction records such as credit card data could be gained by a skillful intruder.
By sending URLs with certain DOS device names such as MAILSLOT, PIPE, and UNC, details of the server's physical path can be discovered.
The Bottom Line
If your website uses FrontPage Extensions, make sure your webmaster installs version 1.2 immediately. Until it's installed neither your site nor its data is secure.
Call for Comments
What do you think? Leave your comments on the message center.
References
MicrosoftMicrosoft Security Advisories
Message Center
Upcoming Articles
I'm working on a series of articles related to email and file encryption, privacy, and the changing ecology of the Internet as it's affected by users' awareness of and need for privacy and the protection of personal data. If you have any suggestions or articles that you think I should review, please drop me a note at member@itrain.org. Thanks.
Damar Group, Ltd. helps business use technology.
ITINFO is again accepting sponsors. Sponsor messages are included in ITINFO's email newsletter and are permanently posted to DGL's website and online reference areas.
ITINFO is an electronic publication of Damar Group, Ltd., publisher of Training Express computer learning guides. Comments and submissions to info@dgl.com.
Previous issues are on our website at http://dgl.com/itinfo/.
updated August 24, 2000
http://dgl.com/itinfo/2000/it000824.html
Return to DGL homepage
Copyright © 2000, Damar Group, Ltd., All Rights Reserved