Note: The red stoplight on this page indicates the highest severity level for this category of vulnerabilities. The severity level in this instance is indicated by the colored dot beside the link to this tutorial on the previous page.
FrontPage Server Extensions also include an optional subcomponent called Visual Studio Remote Application Deployment (RAD) support. This support allows Visual InterDev users to register objects on the web server.
CVE 2001-0341
Due to an unchecked buffer in the Visual Studio RAD sub-component of
FrontPage Server Extensions, it could be possible for a remote
attacker to execute arbitrary commands with IUSR_machinename
privileges, or in some cases SYSTEM privileges.
This vulnerability can only be exploited if the Visual Studio RAD
sub-component is installed, which is not the case by default.
The FrontPage password file(s) indicated on the previous screen, next to the link to this tutorial, are readable by an unprivileged web user. An attacker could crack the encrypted passwords and gain unauthorized access to the web site. If any users' FrontPage passwords are the same as their system passwords, the system could be compromised as well.
To secure the FrontPage password file, set the permissions on the file(s) to be more restrictive. The exact permissions which should be used are not specified. Use the most restrictive permissions possible without denying access to legitimate users.
On Windows NT systems:
Use the chmod command.
See the Rhino 9 Advisory for more information about the password file vulnerability.