Subject: ADVISORY: FrontPage Server Extensions [ with apologies for the extended silence regarding this matter ... ] IITS would like to warn the system administration community at Concordia about a vulnerability which exists in Microsoft's FrontPage Server Extensions product for web servers. Affected platforms: Windows-95/NT and various UNIX running a web server with FrontPage Server Extensions. For a complete list, see http://officeupdate.microsoft.com/frontpage/wpp/platforms.htm Vulnerability: On an incorrectly configured system, it may be possible for remote users to gain access to privileged accounts on the system hosting the web server. Any web server with the FrontPage Server Extensions is vulnerable. Description: FrontPage Server Extensions are programs on the web server which provide the necessary functionality to publish and maintain web pages created with Microsoft Front Page. We strongly encourage all system administrators to carefully read the FrontPage Server Extensions Resource Kit in its entirety before installing the Server Extensions on a production server. (http://officeupdate.microsoft.com/frontpage/wpp/SERK/default.htm) Administrators of systems with the FrontPage Server Extensions already installed should also read the Resource Kit, to be sure they understand what files and directories comprise the FrontPage Server Extensions, and that their systems are configured securely. Background: The FrontPage Server Extension maintains a list of accounts, with usernames and passwords, and a list of groups of users with various levels of permissions for using the services of the Web server. The accounts and groups maintained by the Web server are separate from the list of users and groups with access to the host computer's file system. The password files and directories containing them vary depending upon which web server is being used (comprehensive lists are included in the URL mentioned above), and which operating system it's running on, but on a typical system, under the document root, (and "FrontPage roots -- directories containing the root of a given FrontPage managed web site), a directory named _vti_pvt is created containing the following files: service.pwd -- contains the list of users and passwords for the FrontPage web. service.grp -- contains the list of groups (one group for authors and one for administrators in FrontPage). On Netscape servers, there are no service.grp files. The Netscape password files are: administrators.pwd -- for administrators authors.pwd -- for authors and administrators users.pwd -- for users, authors, and administrators Any user with read access to these files could compromise the passwords contained in them. More importantly, the web server may transmit these files upon request, unless it has been carefully configured not to do so, allowing remote users to compromise passwords they contain. Suggested fixes: It is STRONGLY RECOMMENDED that the usernames and passwords used in the FrontPage password files not match those which have login access to the host. In particular, privileged accounts (such as root on a Unix system, and Administrator on an NT system) should not have entries in these files. Ideally, it would be possible to move these files outside of the web server's document tree, and configure FrontPage Server Extensions to use the files elsewhere, though this doesn't appear to be possible.