Security Incidents mailing list archives

Re: Unknown web log entry - new FrontPage exploit?

From: TJ Jablonowski <t.jablonowski () MAIL-2-GO COM>
Date: Fri, 22 Dec 2000 04:46:06 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If I remember correctly it is part of Office2K server extensions, an
subset of the FP Server extensions.  Don't have a machine to check
right now though so not sure. Could somebody be using a component
from it in their webpage???

- ----- Original Message -----
From: "Michael Katz" <mike () RESPONSIBLE COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Thursday, December 21, 2000 16:44
Subject: Unknown web log entry - new FrontPage exploit?

Hi all,

Recently, I have noticed the following web log entry appearing 2-3
times per day.

GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2202&STRMVER=4&CAPREQ=0

Based on the _vti_bin directory, I believe it's associated with
FrontPage. When I tested the entry against a server using FrontPage
extension, I receive the following message:


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOkMi22+7g8loOAk5EQKfhQCg12dZqBxHNni5Vpj3HZo6ugCprZsAn1fk
seLToWv48lT0Hvxg3dWJMhMj
=edLV
-----END PGP SIGNATURE-----

Current thread:

udp port 500 scans Blake Frantz (Dec 21)
- Re: udp port 500 scans Jeff (Dec 21)
- Re: udp port 500 scans Greg Woods (Dec 21)
  - Unknown web log entry - new FrontPage exploit? Michael Katz (Dec 21)
    - Re: Unknown web log entry - new FrontPage exploit? TJ Jablonowski (Dec 22)
  - Re: udp port 500 scans TJ Jablonowski (Dec 21)
- <Possible follow-ups>
- Re: udp port 500 scans Green, Art (MED) (Dec 21)