Microsoft FrontPage Extensions .pwd File Permissions

1999-07-22T19:00:51
ID OSVDB:68
Type osvdb
Reporter OSVDB
Modified 1999-07-22T19:00:51

Description

Vulnerability Description

This server is running Microsoft FrontPage extensions. FrontPage extensions allow anyone to download the .pwd files, which contain the encrypted passwords for FrontPage authors and Administrators. An attacker could easily decrypt these passwords and possible post or overwrite information on the target web server.

Technical Description

checks for /vti_pvt/*.pwd

Solution Description

Place restrictive permissions on the /vti_pvt directory. Do not allow web users to view files in this directory.

Short Description

This server is running Microsoft FrontPage extensions. FrontPage extensions allow anyone to download the .pwd files, which contain the encrypted passwords for FrontPage authors and Administrators. An attacker could easily decrypt these passwords and possible post or overwrite information on the target web server.

References:

Nessus Plugin ID:10078 ISS X-Force ID: 3393