Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 1999-2022 Tenable Network Security, Inc.FRONTPAGE.NASL
HistoryAug 22, 1999 - 12:00 a.m.

Microsoft FrontPage Extensions Check

1999-08-2200:00:00
This script is Copyright (C) 1999-2022 Tenable Network Security, Inc.
www.tenable.com
293

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.16

Percentile

96.0%

JSON

The remote web server appears to be running with the FrontPage extensions.

FrontPage allows remote web developers and administrators to modify web content from a remote location. While this is a fairly typical scenario on an internal local area network, the FrontPage extensions should not be available to anonymous users via the Internet (or any other untrusted 3rd party network).

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

# Modified by John [email protected] to add "open service" call and
# add 2 more files to look for

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(10077);
  script_version("1.59");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2000-0114");

  script_name(english:"Microsoft FrontPage Extensions Check");

  script_set_attribute(attribute:"synopsis", value:
"FrontPage extensions are enabled.");
  script_set_attribute(attribute:"description", value:
"The remote web server appears to be running with the FrontPage
extensions.  

FrontPage allows remote web developers and administrators to modify
web content from a remote location.  While this is a fairly typical
scenario on an internal local area network, the FrontPage extensions
should not be available to anonymous users via the Internet (or any
other untrusted 3rd party network).");
  script_set_attribute(attribute:"solution", value:
"n/a");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2000-0114");

  script_set_attribute(attribute:"plugin_publication_date", value:"1999/08/22");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:frontpage");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 1999-2022 Tenable Network Security, Inc.");

  script_dependencies("find_service1.nasl", "http_version.nasl");
  script_require_ports("Services/www", 80);

  exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

if (get_kb_item("www/" + port + "/no404") )
 exit(0, "The web server on port "+port+" does not return 404 codes.");

r = http_send_recv3( port: port, method: "GET", 
    		     exit_on_fail: 1,
    		     item:"/_vti_bin/shtml.dll/_vti_rpc");
if (r[0] !~ "^HTTP/.\.. 200 ")
 exit(0, build_url(qs:"/_vti_bin/shtml.dll/_vti_rpc", port: port) + 'cannot be read.');

h = make_array( "Accept", "*/*", 
    		"User-Agent", "MSFrontPage/4.0",
		"Content-Type", "application/x-www-form-urlencoded",
		"MIME-Version", "1.0",
		"X-Vermeer-Content-Type", "application/x-www-form-urlencoded");
# Content-Length=58??

r = http_send_recv3( port: port, method: "POST", 
    		     item: "/_vti_bin/shtml.dll/_vti_rpc",
		     data: 'method=open+service%3a3%2e0%2e2%2e1105&service%5fname=%2f\r\n',
		     exit_on_fail: 1,
		     add_headers: h);

if(! egrep(pattern:"^<li>msg=The user '\(unknown\)'", string:r[2]) &&
   egrep(pattern:".*x-vermeer-rpc*", string: r[1]))
{
  msg = egrep(pattern:".*<li>msg=.*'.*'.*'open service'.*", string: r[2]);
  if ( msg )
  {	
   user = ereg_replace(pattern:".*<li>msg=.*'(.*)'.*'open service'.*", string: r[2], replace:"\1");
   myreport = 'The remote frontpage server leaks information regarding the name of the anonymous user.\r\n';
   myreport += 'By knowing the name of the anonymous user, more sophisticated attacks may be launched.\r\n';
   myreport += 'We could gather that the name of the anonymous user is : ' + user;
   set_kb_item(name:"www/frontpage", value:TRUE);

   report = '\n' + myreport;
   security_warning (port:port, extra:report);
   exit(0);
  }
}

if (thorough_tests)
{
 files = make_list( "/_vti_bin/_vti_adm/admin.dll",
      		   "/_vti_bin/_vti_aut/author.dll",
		   "/_vti_bin/shtml.exe/_vti_rpc" );
 foreach file (files)
 {
   if (is_cgi_installed3(item: file, port:port))
   {
     name = strcat('www/no404/', port);
     no404 = get_kb_item(name);
     r = http_send_recv3(item: file, method: 'POST', port:port, exit_on_fail: 1);
     if (r[0] =~ "^HTTP/1\.[01] +200 ")
     {
       if(no404 && tolower(no404) >< tolower(r[0]+'\r\n'+r[1] + '\r\n\r\n'+r[2]))
         exit(0);
       security_warning(port);
       set_kb_item(name:"www/frontpage", value:TRUE);
       exit(0);
     }
   }
}
}

Related

nvd 1
cvelist 1
nuclei 1
cve 1
nvd
nvd
CVE-2000-0114
2000-02-02 05:00:00
cvelist
cvelist
CVE-2000-0114
2000-02-08 05:00:00
nuclei
nuclei
Microsoft FrontPage Extensions Check (shtml.dll)
2021-11-23 23:46:22
cve
cve
CVE-2000-0114
2000-02-08 05:00:00

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.16

Percentile

96.0%

JSON
Related for FRONTPAGE.NASL
nvd1cvelist1nuclei1cve1