漏洞类别:Web server漏洞等级: 
漏洞信息
The remote Web server appears to be running with Frontpage Extensions. On a default installation of Frontpage Extensions, a virtual directory /_vti_pvt/ is created. It may contain configuration files and encrypted password files.
Unspecified versions of Frontpage Extensions for Unix have been reported to create a readable (and occasionally writable) file called "services.pwd", which contains encrypted password and account information.
There are also unspecified versions of Frontpage Extensions that create a file "/_vti_pvt/administrators.pwd", which often has improper permissions set. Unauthorized users could retrieve this file via the following URL:
http://www.example.org/_vti_pvt/administrators.pwd"
Note that the detection of the presence of a directory is for the most part based on the return code in the HTTP responses to the HTTP requests such as "GET /directory/ HTTP/1.0" and may at times be unreliable.
漏洞危害
Some configuration files and encrypted password files can be retrieved from the system. If weak passwords were chosen, then unauthorized users may be able to guess them.
解决方案
You should check your configuration because several security problems have been discovered with FrontPage when the configuration file is not well set up. Apply better permissions on the Frontpage Extension Directories.
You should also make sure that you're using a strong password. Use the following guidelines to create a strong password:
- Use at least eight characters.
- Use a mix of four different types of characters (upper case letters, lower case letters, numbers and special characters, such as !@#$%^&*,;").
- If you're only using one special character, then it should not be the first or last character in the password.
- Do not use a name, slang word, or any word in the dictionary.
- Do not include any part of your name or your e-mail address.
0day
文章评论