Re: Frontpage Web, Authoring Access

["Paul Kurczaba" <paul () myipis com>]

I personally do not use frontpage extensions due to its lack of security.

-Paul
----- Original Message ----- 
From: "Joey" <joey () our-town com>
To: <security-basics () securityfocus com>
Sent: Thursday, July 15, 2004 12:02 PM
Subject: Frontpage Web, Authoring Access


> Just a lurker, but a quick question..  I recently performed a scan of my
> domain with Nikto, results are below..
>
> +
/_vti_bin/_vti_aut/author.dll?method=list+documents%3a3%2e0%2e2%2e1706&servi
> ce
%5fname=&listHiddenDocs=true&listExplorerDocs=true&listRecurse=false&listFil
> es=t
rue&listFolders=true&listLinkInfo=true&listIncludeParent=true&listDerivedT=f
> alse
> &listBorders=false - We seem to have authoring access to the FrontPage
web.
> (POST)
>
> +
/_vti_bin/_vti_aut/author.exe?method=list+documents%3a3%2e0%2e2%2e1706&servi
> ce
%5fname=&listHiddenDocs=true&listExplorerDocs=true&listRecurse=false&listFil
> es=t
rue&listFolders=true&listLinkInfo=true&listIncludeParent=true&listDerivedT=f
> alse
> &listBorders=false - We seem to have authoring access to the FrontPage
web.
> (POST)
>
> It's reporting FrontPage authoring access..  ..this isn't good, obviously.
> But when I try to open my web in FrontPage, it's asking for
authentication.
> Is Nikto mis-reporting, or is there some other method of subversive
> authoring I'm unaware of .. ?
>
> If Nikto isn't mis-reporting, would upgrading to the latest versions of
> FrontPage fix the issue, or .. ?
>
> Appreciate any advice anyone has to offer..
>
> --
> Joey
>
>
> --------------------------------------------------------------------------
-
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or
less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------------------
--
>



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------