Re: Some Past Frontpage Exploits

[dleblanc () MINDSPRING COM (David LeBlanc)]

At 03:55 PM 4/26/98 -0700, chameleon wrote:
> 4. I saw a post today I believe about someone being able to connect to a
> server with frontpage server extensions and being able to alter the page
> without any password. The reason you can do this is the NT everyone group.
> Its very common that a server with, NT4.0 server, IIS3.0 and frontpage
> server extensions installed, you can alter their webpage via frontpage
> because the everyone group is on the computer and it drops you right in.
> That shouldnt be too hard to understand. Note: Right after installation of
> frontpage server extensions on a NT4.0 IIS3.0 box it addes the everyone
> group to have access to the server via frontpage explorer etc.

This is from lameness on the part of the admin.  When FP is running on NT,
you have an admin.dll and an author.dll.  The NTFS ACL on these DLLs sets
who can do what.  You typically want to make an authors group, and set
permissions to the DLL for that group.  If you set permissions on the DLL
to give access to everyone, then everyone is an author or an admin - whatever.

If the admin has also left the NTFS permissions on the web site at default,
you can probably use it to insert new content, and cause various bits of
mayhem.

Note that these DLLs aren't always global - there are ways to restrict
certain areas by adding more DLLs and changing their permissions.  See pg
371-372 in the IISRK for details.

Note - I have no idea what the default install permissions are.


David LeBlanc
dleblanc () mindspring com