An external auditor writes in his report of our site: "Since there are numerous vulnerabilities linked to pages produced by the FrontPage application.
First off, how does the auditor know that these forms are generated by FrontPage? Are the FP metadata tags in there? Or, are you using the FrontPage validation scripts?
I understand that there are vulnerablities associated with running a server with FrontPage extensions, but I've never heard of them simply from producing HTML forms with FrontPage.
The only vulnerabilities I've seen over the years are problems caused by incorrect settings at the server level, not from the extensions themselves. Comments from IIS Admins would be appreciated in regards to this issue.
Is this right?
I don't think so. I'd have to ask the auditor to give me specific instances of where security is comprimised and how. A form is a form. Whether it is created in FrontPage, Dreamweaver or Notepad, it is still a
Does the form reside at an https address? That would surely decrease most of the security issues that may arise when it comes to passing variable data that might be of a secure nature.
Thanks. That's what I thought. Was looking for some assurances from someone before saying so.
They determined the generator through meta tags which I plan to remove since they advise it. The form connects via https:// secured socket layer. The server is not a MicroSoft server and is not running FrontPage extensions. I'm pretty familiar with forms code and it just looks like a plain old form to me.