No announcement yet.

Linux - Remove frontpage extensions

  • Filter
  • Time
  • Show
Clear All
new posts

  • jc8654
    Which is why eUK and my business doesn't offer FP any more. At least Expressions allows live FTP editing which replaces a lot of what FP extensions did.

    Leave a comment:

  • Danny M
    That is indeed seems to be very dangerous in terms of security on the server. It is good that we all are aware of such Security Flaws. Thanks to you both for this wonderful piece of information, Jack and Nick as well as Thomas

    Leave a comment:

  • Rock
    Here's some info on why FrontPage extensions are considered to be unsafe posing unknown dangers:

    How FrontPage Works:-

    FrontPage tries to GET "". This file contains the version of the FP extensions and the path on the server where the extensions are located. When you use Frontpage to upload content, it will try and fetch this file, if it can, it then tries to POST to "" (that's the default). This server binary is not password protected, so it is able to post a query to it. The first thing it does is just establish a protocol rev in which the client and server are going to talk, and what functions the server provides.

    If you have any people using Frontpage, it's likely that they FTP'ed the _vti_inf.html from their local computer up to your site. Then they tried to publish, and it tried HTTP first. If HTTP fails, it just kicks over to FTP as the publishing protocol.

    Why Is FrontPage Unsafe to Publish Websites?

    Firstly, they maintain a huge number of meta files (one shadow for every file managed) . Then they have all the configuration information in a collection of text files in the _vti_pvt directory. If you go to a site that has FrontPage extensions, just pick any directory in the URL,remove the filename off, and replace it with "_vti_cnf" . Instead of the file, you will get a complete listing of all the files in the real directory. With this you can view files that weren't meant to be seen by the public in general. This happens on all FrontPage enabled websites.

    Why is it dangerous?

    If you have ever had a look at a FrontPage extensions enabled web server, in the root you would notice a folder named _vti_pvt. Like is the folder which has all the important files. The list is as below.


    Most hackers target the file "service.pwd" since this is the file that is holding the username and the encrypted password for that user. They google for potential victims with the keyword "inurl:"_vti_pvt" inurl:service filetype: pwd". Lets suppose the click was made on the first search result i.e. . The file looks like this.

    # -FrontPage-

    In the file above, the first line is just a harmless comment. In the second line, "admin" is the username and "YbV1JnafKRmnQ" is the password which should have been encrypted, but is not! Sometimes, this password is also called password hash. Its encrypted in an encryption algorithm called DES.

    Now all you have to do is collect the username and password you want to break. To crack passwords, you get a lot of cracking tools (which can be found over google) Most crackers allow you to put in the username and hashes in it and save it as a file. The time taken by a password cracker to crack a hash depends on the password.A simple password like "stupid" will take hardly a second while something like "R%T^Uk;lyu$úp}?<" will take a bit of time. The cracking speed also depends on your computer's CPU speed to an extent.

    Once the hashes have been cracked, just open a FrontPage >> File >> Open Web.Put the address, username and password. You will be inside the user's account!! Once logged in, hackers also try the same username and password for FTP as 8 out of 10 times, the credentials are the same. Once they have full access, you are at their mercy. Also once an account is hacked into, its always very easy to crack into a second time.

    PS : Thanks to Nick for this piece of information

    Leave a comment:

  • WelshTom
    started a topic Linux - Remove frontpage extensions

    Linux - Remove frontpage extensions

    If you still have Frontpage extensions installed, you really need to have a re-think on how you manage your security.

    Frontpage causes big vulnerabilities on linux, and shouldn't be used, it shouldn't even be installed.

    Run these commands from SSH:

    rpm -qa | grep frontpage

    (If frontpage is installed, something will be returned, just as an example, lets just say FrontPage was returned)

    To remove them, type this command:

    rpm -e frontpage

    Remember to change "frontpage" above with whatever was returned from your first command.