Frontpage files

From: Burnett, Robert (burnettr@Fortrex.com)
Date: Thu Oct 28 2004 - 12:56:56 EDT


Hello,

When pentesting, I sometimes come across web servers that have the _vti_bin and all the other _vti_* directories present even though Frontpage Extensions have been disabled. In IIS, when you disable the Extensions, shouldn't those directories be removed as well? Or are they still needed for some reason? I have developed a website using Frontpage before, and I noticed that the Frontpage-generated HTML would often invoke scripts located in the "_fpclass" folder, but not the _vti_* folders.

My second question is, if Frontpage Extensions are disabled, and those directories are still present, can files inside them (e.g. author.dll, admin.dll) still be exploited in any way, or are they harmless?

Thanks.

Robert
----------------------------------------------------------------------------------------------------

Confidentiality Notice
The content of this communication, along with any attachments, is covered by federal and state law governing electronic communications and may contain confidential and legally privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, use or copying of the information contained herein is strictly prohibited. If you have received this communication in error, please immediately contact us by telephone at (301) 977-6966 or e-mail info@fortrex.com. Thank you.



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:07 EDT