FrontPage 2000 Exposes Windows 2000 Accounts

 
FrontPage 2000 Exposes Windows 2000 Accounts
Reported April 21, 2000 by
Paul Rogers
VERSIONS EFFECTED
  • FrontPage 2000 Extensions for Internet Information Server 5.0

DESCRIPTION

When a valid FrontPage user connects to a remote Web using a FrontPage client, that user can obtain a list of account names.

This particular security risk first appeared under NT 4.0, IIS 4.0, and FrontPage 98, where it was apparently carried over to the new platform unchecked. The workaround information for the NT 4.0 platform does not work on Windows 2000 platforms.

DEMONSTRATION

Open FrontPage 2000, connect to your remote Web, then click Tools, Security, Permissions, and then Add on the Users tab. A list of accounts on the remote serer will be displayed.

VENDOR RESPONSE

According to BugNet, Microsoft is working on a patch for the matter, however at the time of this writing it was not known when the patch would become available.

CREDITS
Discovered and reported by
Paul Rogers
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish