ID FRONTPAGE.NASL Type nessus Reporter This script is Copyright (C) 1999-2020 Tenable Network Security, Inc. Modified 1999-08-22T00:00:00
Description
The remote web server appears to be running with the FrontPage
extensions.
FrontPage allows remote web developers and administrators to modify
web content from a remote location. While this is a fairly typical
scenario on an internal local area network, the FrontPage extensions
should not be available to anonymous users via the Internet (or any
other untrusted 3rd party network).
#
# (C) Tenable Network Security, Inc.
#
# Modified by John Lampe...j_lampe@bellsouth.net to add "open service" call and
# add 2 more files to look for
include("compat.inc");
if(description)
{
script_id(10077);
script_version ("1.58");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/09/02");
script_cve_id("CVE-2000-0114");
script_name(english: "Microsoft FrontPage Extensions Check");
script_set_attribute(attribute:"synopsis", value:
"FrontPage extensions are enabled." );
script_set_attribute(attribute:"description", value:
"The remote web server appears to be running with the FrontPage
extensions.
FrontPage allows remote web developers and administrators to modify
web content from a remote location. While this is a fairly typical
scenario on an internal local area network, the FrontPage extensions
should not be available to anonymous users via the Internet (or any
other untrusted 3rd party network)." );
script_set_attribute(attribute:"solution", value:"n/a" );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2000-0114");
script_set_attribute(attribute:"plugin_publication_date", value: "1999/08/22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:frontpage");
script_end_attributes();
script_summary(english: "Checks for the presence of Microsoft FrontPage extensions");
script_category(ACT_GATHER_INFO);
script_copyright(english: "This script is Copyright (C) 1999-2020 Tenable Network Security, Inc.");
script_family(english: "Web Servers");
script_dependencie("find_service1.nasl", "http_version.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if (get_kb_item("www/" + port + "/no404") )
exit(0, "The web server on port "+port+" does not return 404 codes.");
r = http_send_recv3( port: port, method: "GET",
exit_on_fail: 1,
item:"/_vti_bin/shtml.dll/_vti_rpc");
if (r[0] !~ "^HTTP/.\.. 200 ")
exit(0, build_url(qs:"/_vti_bin/shtml.dll/_vti_rpc", port: port) + 'cannot be read.');
h = make_array( "Accept", "*/*",
"User-Agent", "MSFrontPage/4.0",
"Content-Type", "application/x-www-form-urlencoded",
"MIME-Version", "1.0",
"X-Vermeer-Content-Type", "application/x-www-form-urlencoded");
# Content-Length=58??
r = http_send_recv3( port: port, method: "POST",
item: "/_vti_bin/shtml.dll/_vti_rpc",
data: 'method=open+service%3a3%2e0%2e2%2e1105&service%5fname=%2f\r\n',
exit_on_fail: 1,
add_headers: h);
if(! egrep(pattern:"^<li>msg=The user '\(unknown\)'", string:r[2]) &&
egrep(pattern:".*x-vermeer-rpc*", string: r[1]))
{
msg = egrep(pattern:".*<li>msg=.*'.*'.*'open service'.*", string: r[2]);
if ( msg )
{
user = ereg_replace(pattern:".*<li>msg=.*'(.*)'.*'open service'.*", string: r[2], replace:"\1");
myreport = 'The remote frontpage server leaks information regarding the name of the anonymous user.\r\n';
myreport += 'By knowing the name of the anonymous user, more sophisticated attacks may be launched.\r\n';
myreport += 'We could gather that the name of the anonymous user is : ' + user;
set_kb_item(name:"www/frontpage", value:TRUE);
report = '\n' + myreport;
security_warning (port:port, extra:report);
exit(0);
}
}
if (thorough_tests)
{
files = make_list( "/_vti_bin/_vti_adm/admin.dll",
"/_vti_bin/_vti_aut/author.dll",
"/_vti_bin/shtml.exe/_vti_rpc" );
foreach file (files)
{
if (is_cgi_installed3(item: file, port:port))
{
name = strcat('www/no404/', port);
no404 = get_kb_item(name);
r = http_send_recv3(item: file, method: 'POST', port:port, exit_on_fail: 1);
if (r[0] =~ "^HTTP/1\.[01] +200 ")
{
if(no404 && tolower(no404) >< tolower(r[0]+'\r\n'+r[1] + '\r\n\r\n'+r[2]))
exit(0);
security_warning(port);
set_kb_item(name:"www/frontpage", value:TRUE);
exit(0);
}
}
}
}
{"id": "FRONTPAGE.NASL", "bulletinFamily": "scanner", "title": "Microsoft FrontPage Extensions Check", "description": "The remote web server appears to be running with the FrontPage\nextensions. \n\nFrontPage allows remote web developers and administrators to modify\nweb content from a remote location. While this is a fairly typical\nscenario on an internal local area network, the FrontPage extensions\nshould not be available to anonymous users via the Internet (or any\nother untrusted 3rd party network).", "published": "1999-08-22T00:00:00", "modified": "1999-08-22T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/10077", "reporter": "This script is Copyright (C) 1999-2020 Tenable Network Security, Inc.", "references": [], "cvelist": ["CVE-2000-0114"], "type": "nessus", "lastseen": "2020-09-04T02:26:08", "edition": 19, "viewCount": 43, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2000-0114"]}, {"type": "osvdb", "idList": ["OSVDB:67"]}], "modified": "2020-09-04T02:26:08", "rev": 2}, "score": {"value": 5.1, "vector": "NONE", "modified": "2020-09-04T02:26:08", "rev": 2}, "vulnersScore": 5.1}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# Modified by John Lampe...j_lampe@bellsouth.net to add \"open service\" call and\n# add 2 more files to look for\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10077);\n script_version (\"1.58\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/02\");\n\n script_cve_id(\"CVE-2000-0114\");\n\n script_name(english: \"Microsoft FrontPage Extensions Check\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"FrontPage extensions are enabled.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server appears to be running with the FrontPage\nextensions. \n\nFrontPage allows remote web developers and administrators to modify\nweb content from a remote location. While this is a fairly typical\nscenario on an internal local area network, the FrontPage extensions\nshould not be available to anonymous users via the Internet (or any\nother untrusted 3rd party network).\" );\n script_set_attribute(attribute:\"solution\", value:\"n/a\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2000-0114\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"1999/08/22\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:frontpage\");\n script_end_attributes();\n\n script_summary(english: \"Checks for the presence of Microsoft FrontPage extensions\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english: \"This script is Copyright (C) 1999-2020 Tenable Network Security, Inc.\");\n script_family(english: \"Web Servers\");\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\n\nif (get_kb_item(\"www/\" + port + \"/no404\") )\n exit(0, \"The web server on port \"+port+\" does not return 404 codes.\");\n\nr = http_send_recv3( port: port, method: \"GET\", \n \t\t exit_on_fail: 1,\n \t\t item:\"/_vti_bin/shtml.dll/_vti_rpc\");\nif (r[0] !~ \"^HTTP/.\\.. 200 \")\n exit(0, build_url(qs:\"/_vti_bin/shtml.dll/_vti_rpc\", port: port) + 'cannot be read.');\n\nh = make_array( \"Accept\", \"*/*\", \n \t\t\"User-Agent\", \"MSFrontPage/4.0\",\n\t\t\"Content-Type\", \"application/x-www-form-urlencoded\",\n\t\t\"MIME-Version\", \"1.0\",\n\t\t\"X-Vermeer-Content-Type\", \"application/x-www-form-urlencoded\");\n# Content-Length=58??\n\nr = http_send_recv3( port: port, method: \"POST\", \n \t\t item: \"/_vti_bin/shtml.dll/_vti_rpc\",\n\t\t data: 'method=open+service%3a3%2e0%2e2%2e1105&service%5fname=%2f\\r\\n',\n\t\t exit_on_fail: 1,\n\t\t add_headers: h);\n\nif(! egrep(pattern:\"^<li>msg=The user '\\(unknown\\)'\", string:r[2]) &&\n egrep(pattern:\".*x-vermeer-rpc*\", string: r[1]))\n{\n msg = egrep(pattern:\".*<li>msg=.*'.*'.*'open service'.*\", string: r[2]);\n if ( msg )\n {\t\n user = ereg_replace(pattern:\".*<li>msg=.*'(.*)'.*'open service'.*\", string: r[2], replace:\"\\1\");\n myreport = 'The remote frontpage server leaks information regarding the name of the anonymous user.\\r\\n';\n myreport += 'By knowing the name of the anonymous user, more sophisticated attacks may be launched.\\r\\n';\n myreport += 'We could gather that the name of the anonymous user is : ' + user;\n set_kb_item(name:\"www/frontpage\", value:TRUE);\n\n report = '\\n' + myreport;\n security_warning (port:port, extra:report);\n exit(0);\n }\n}\n\nif (thorough_tests)\n{\n files = make_list( \"/_vti_bin/_vti_adm/admin.dll\",\n \t\t \"/_vti_bin/_vti_aut/author.dll\",\n\t\t \"/_vti_bin/shtml.exe/_vti_rpc\" );\n foreach file (files)\n {\n if (is_cgi_installed3(item: file, port:port))\n {\n name = strcat('www/no404/', port);\n no404 = get_kb_item(name);\n r = http_send_recv3(item: file, method: 'POST', port:port, exit_on_fail: 1);\n if (r[0] =~ \"^HTTP/1\\.[01] +200 \")\n {\n if(no404 && tolower(no404) >< tolower(r[0]+'\\r\\n'+r[1] + '\\r\\n\\r\\n'+r[2]))\n exit(0);\n security_warning(port);\n set_kb_item(name:\"www/frontpage\", value:TRUE);\n exit(0);\n }\n }\n}\n}\n\n\n\n", "naslFamily": "Web Servers", "pluginID": "10077", "cpe": ["cpe:/a:microsoft:frontpage"], "scheme": null, "cvss3": {"score": 5.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}
{"cve": [{"lastseen": "2020-10-03T11:36:56", "description": "Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.", "edition": 3, "cvss3": {}, "published": "2000-02-02T05:00:00", "title": "CVE-2000-0114", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2000-0114"], "modified": "2008-09-10T19:02:00", "cpe": ["cpe:/a:microsoft:internet_information_server:4.0", "cpe:/a:microsoft:internet_information_server:3.0"], "id": "CVE-2000-0114", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0114", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:internet_information_server:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_information_server:3.0:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-2000-0114"], "edition": 1, "description": "## Vulnerability Description\nMicrosoft FrontPage contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when sending a HTTP RPC POST request to the 'shtml.dll' extension, which will disclose the name of the anonymous Internet account resulting in a loss of confidentiality.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nMicrosoft FrontPage contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when sending a HTTP RPC POST request to the 'shtml.dll' extension, which will disclose the name of the anonymous Internet account resulting in a loss of confidentiality.\n## Manual Testing Notes\n# telnet [target] 80\nTrying [target]...\nConnected to [target].\nEscape character is '^]'.\nPOST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.0\nConnection: Keep-Alive\nDate: Mon, 23 Mar 2003 00:00:15 GMT\nAccept: */*\nHost: 208.51.43.138\nUser-Agent: MSFrontPage/4.0\nContent-Length: 58\nContent-Type: application/x-www-form-urlencoded\nMIME-Version: 1.0\nX-Vermeer-Content-Type: application/x-www-form-urlencoded\nmethod=open+service%3a3%2e0%2e2%2e1105&service%5fname=%2f\n(Hit enter twice)\n## References:\nVendor URL: http://www.microsoft.com/\nSnort Signature ID: 940\nOther Advisory URL: http://www.atstake.com/research/advisories/2000/adviisfp.html\n[Nessus Plugin ID:10077](https://vulners.com/search?query=pluginID:10077)\nMicrosoft Security Bulletin: MS02-053\nMicrosoft Knowledge Base Article: 324096\nISS X-Force ID: 4001\n[CVE-2000-0114](https://vulners.com/cve/CVE-2000-0114)\n", "modified": "2000-02-03T00:00:00", "published": "2000-02-03T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:67", "id": "OSVDB:67", "type": "osvdb", "title": "Microsoft FrontPage Extension shtml.dll Anonymous Account Information Disclosure", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}
