Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

FrontPage Extensions AGAIN ?

Discussion in 'General Discussion' started by viraj, Jun 5, 2008.

  1. viraj

    viraj Well-Known Member

    Sep 28, 2006
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    Exploits :: FrontPage Extensions AGAIN ?

    Let me start from the root...

    How FrontPage Works:-
    FrontPage tries to GET "". This file contains the version of the FP extensions and the path on the server where the extensions are located. When you use Frontpage to upload content, it will try and fetch this file, if it can, it then tries to POST to "" (that's the default). This server binary is not password protected, so it is able to post a query to it. The first thing it does is just establish a protocol rev in which the client and server are going to talk, and what functions the server provides..

    If you have any people using Frontpage, it's likely that they FTP'ed the _vti_inf.html from their local computer up to your site. Then they tried to publish, and it tried HTTP first. If HTTP fails, it just kicks over to FTP as the publishing protocol...

    Why Is FrontPage Unsafe to Publish Websites?
    Firstly, they maintain a huge number of meta files (one shadow for every file managed) . Then they have all the configuration information in a collection of text files in the _vti_pvt directory. If you go to a site that has FrontPage extensions, just pick any directory in the URL,remove the filename off, and replace it with "_vti_cnf".. Instead of the file, you will get a complete listing of all the files in the real directory. With this you can view files that weren't meant to be seen by the public in general. This happens on all FrontPage enabled websites...

    Why is it dangerous?
    If you have ever had a look at a FrontPage extensions enabled web server, in the root you would notice a folder named _vti_pvt. Like is the folder which has all the important files. The list is as below...


    Most hackers target the file "service.pwd" since this is the file that is holding the username and the encrypted password for that user. They google for potential victims with the keyword "inurl:"_vti_pvt" inurl:service filetype: pwd". Lets suppose the click was made on the first search result i.e. . The file looks like this.

    # -FrontPage-

    In the file above, the first line is just a harmless comment. In the second line, "admin" is the username and "YbV1JnafKRmnQ" is the password which should have been encrypted, but is not! Sometimes, this password is also called password hash. Its encrypted in an encryption algorithm called DES..

    Now all you have to do is collect the username and password you want to break. To crack passwords, you get a lot of cracking tools (which can be found over google) Most crackers allow you to put in the username and hashes in it and save it as a file. The time taken by a password cracker to crack a hash depends on the password.A simple password like "stupid" will take hardly a second while something like "R%T^Uk;lyu$£p}?<" will take a bit of time. The cracking speed also depends on your computer's CPU speed to an extent..

    Once the hashes have been cracked, just open a FrontPage >> File >> Open Web.Put the address, username and password. You will be inside the user's account!! Once logged in, hackers also try the same username and password for FTP as 8 out of 10 times, the credentials are the same. Once they have full access, you are at their mercy. Also once an account is hacked into, its always very easy to crack into a second time...

    I've heard Microsoft's discontinuing support for FrontPage shortly, ie it's now in an EOL stage.. does cPanel have any future plan for this ? Removing FrontPage from web hosting businesses will be a revolution.. rather in the negative sense...
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 viraj, Jun 5, 2008
    Last edited: Jun 6, 2008
  2. cPanelNick

    cPanelNick Administrator
    Staff Member

    Mar 9, 2015
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    This is why cpanel comes with mod_auth_passthrough. --- no more 644 server.pwd files..

    root@fit [/home/koston/public_html/_vti_pvt]# ls -l service.pwd
    -rw------- 1 koston koston 35 May 22 18:39 service.pwd

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice