The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FrontPage Extensions AGAIN ?

Discussion in 'General Discussion' started by viraj, Jun 5, 2008.

  1. viraj

    viraj Well-Known Member

    Joined:
    Sep 28, 2006
    Messages:
    209
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Exploits :: FrontPage Extensions AGAIN ?

    Let me start from the root...

    How FrontPage Works:-
    FrontPage tries to GET "http://www.yourdomain.com/_vti_inf.html". This file contains the version of the FP extensions and the path on the server where the extensions are located. When you use Frontpage to upload content, it will try and fetch this file, if it can, it then tries to POST to "http://www.yourdomain.com/_vti_bin/shtml.exe/_vti_rpc" (that's the default). This server binary is not password protected, so it is able to post a query to it. The first thing it does is just establish a protocol rev in which the client and server are going to talk, and what functions the server provides..

    If you have any people using Frontpage, it's likely that they FTP'ed the _vti_inf.html from their local computer up to your site. Then they tried to publish, and it tried HTTP first. If HTTP fails, it just kicks over to FTP as the publishing protocol...

    Why Is FrontPage Unsafe to Publish Websites?
    Firstly, they maintain a huge number of meta files (one shadow for every file managed) . Then they have all the configuration information in a collection of text files in the _vti_pvt directory. If you go to a site that has FrontPage extensions, just pick any directory in the URL,remove the filename off, and replace it with "_vti_cnf".. Instead of the file, you will get a complete listing of all the files in the real directory. With this you can view files that weren't meant to be seen by the public in general. This happens on all FrontPage enabled websites...

    Why is it dangerous?
    If you have ever had a look at a FrontPage extensions enabled web server, in the root you would notice a folder named _vti_pvt. Like www.vicitm.com/_vti_pvt/.This is the folder which has all the important files. The list is as below...

    access.cnf
    botinfs.cnf
    service.cnf
    service.pwd
    writeto.cnf


    Most hackers target the file "service.pwd" since this is the file that is holding the username and the encrypted password for that user. They google for potential victims with the keyword "inurl:"_vti_pvt" inurl:service filetype: pwd". Lets suppose the click was made on the first search result i.e. http://www.victim.com/_vti_pvt/service.pwd . The file looks like this.

    # -FrontPage-
    admin:YbV1JnafKRmnQ


    In the file above, the first line is just a harmless comment. In the second line, "admin" is the username and "YbV1JnafKRmnQ" is the password which should have been encrypted, but is not! Sometimes, this password is also called password hash. Its encrypted in an encryption algorithm called DES..

    Now all you have to do is collect the username and password you want to break. To crack passwords, you get a lot of cracking tools (which can be found over google) Most crackers allow you to put in the username and hashes in it and save it as a file. The time taken by a password cracker to crack a hash depends on the password.A simple password like "stupid" will take hardly a second while something like "R%T^Uk;lyu$£p}?<" will take a bit of time. The cracking speed also depends on your computer's CPU speed to an extent..

    Once the hashes have been cracked, just open a FrontPage >> File >> Open Web.Put the address, username and password. You will be inside the user's account!! Once logged in, hackers also try the same username and password for FTP as 8 out of 10 times, the credentials are the same. Once they have full access, you are at their mercy. Also once an account is hacked into, its always very easy to crack into a second time...

    I've heard Microsoft's discontinuing support for FrontPage shortly, ie it's now in an EOL stage.. does cPanel have any future plan for this ? Removing FrontPage from web hosting businesses will be a revolution.. rather in the negative sense...
     
    #1 viraj, Jun 5, 2008
    Last edited: Jun 6, 2008
  2. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    This is why cpanel comes with mod_auth_passthrough. --- no more 644 server.pwd files..

    root@fit [/home/koston/public_html/_vti_pvt]# ls -l service.pwd
    -rw------- 1 koston koston 35 May 22 18:39 service.pwd
     
Loading...

Share This Page