R – Does SharePoint 2007 use FrontPage Extensions

frontpageSecuritysharepointwss-3.0

An automated security scan was performed on my WSS 3.0 site and it came up with some warnings based on the apparent presence of FrontPage Extensions. Namely it found files like /_vti_pvt/service.cnf, /_vti_pvt/services.cnf, and /_vti_bin/_vti_aut/author.dll by appending those locations to the site's main URL over the web. These are apparently related to FrontPage Extensions. I have confirmed that the files exist and can be accessed over the web.

What exactly are these files for? Are they, indeed, related to FrontPage Extensions (which apparently has suffered from many security shortcomings in the past)? Can they be removed or disabled somehow?

Update:
I have removed read permissions to those directories under my SharePoint web site in IIS. They no longer serve over the web, but the site seems to function normally. So if anyone has an apparent security vulnerability from these files, a possible option is to remove the read permissions.

I have not tried to connect with SharePoint designer.

Best Answer

Yes, it does. See this:

http://www.sharepoint2007security.com/guidance/firewall_rules

Related Solutions

How does the SQL injection from the “Bobby Tables” XKCD comic work

It drops the students table.

The original code in the school's program probably looks something like

q = "INSERT INTO Students VALUES ('" + FNMName.Text + "', '" + LName.Text + "')";

This is the naive way to add text input into a query, and is very bad, as you will see.

After the values from the first name, middle name textbox FNMName.Text (which is Robert'); DROP TABLE STUDENTS; --) and the last name textbox LName.Text (let's call it Derper) are concatenated with the rest of the query, the result is now actually two queries separated by the statement terminator (semicolon). The second query has been injected into the first. When the code executes this query against the database, it will look like this

INSERT INTO Students VALUES ('Robert'); DROP TABLE Students; --', 'Derper')

which, in plain English, roughly translates to the two queries:

Add a new record to the Students table with a Name value of 'Robert'

and

Delete the Students table

Everything past the second query is marked as a comment: --', 'Derper')

The ' in the student's name is not a comment, it's the closing string delimiter. Since the student's name is a string, it's needed syntactically to complete the hypothetical query. Injection attacks only work when the SQL query they inject results in valid SQL.

^{^{Edited again as per dan04's astute comment}}

R – VS2008 – Front Page Server Extensions

Please refer to this link for the Security Issues: http://docs.sun.com/source/816-5666-10/esapmsfp.htm

If you installed the extensions after you had configured the permissions, you may have to replace the ACL's on those files by resetting the permissions for the project's folder because of the vti* folders and files it creates within the web application itself; it resets the permissions for those folders and will remove the permissions you have set. Also, it may map your application's _vti_bin folder to the program files folder location. I know the answer is kinda late, but better late than never I always tell her!

Would recommend TFS source control development over doing development using a UNC shared path.

Related Topic