homepage Welcome to WebmasterWorld Guest from 54.235.20.17
register, login, search, subscribe, help, library, PubCon, announcements, recent posts, open posts,
Pubcon Website
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / WYSIWYG and Text Code Editors
Forum Library : Charter : Moderator: open

WYSIWYG and Text Code Editors Forum

    
FrontPage Produced Pages Secure?
Auditors Cite Security Vulnerabilities
mikegram




msg:940643		 5:43 pm on Jul 22, 2004 (gmt 0)

We have a couple of FrontPage produced forms on our company site. The site itself actually runs on an IBM mainframe with iPlanet server.

An external auditor writes in his report of our site: "Since there are numberous vulnerablilities linked to pages produced by the FrontPage application..."

I understand that there are vulnerablities associated with running a server with FrontPage extensions, but I've never heard of them simply from producing HTML forms with FrontPage. Is this right?

 

pageoneresults




msg:940644		 5:48 pm on Jul 22, 2004 (gmt 0)

An external auditor writes in his report of our site: "Since there are numerous vulnerabilities linked to pages produced by the FrontPage application.

First off, how does the auditor know that these forms are generated by FrontPage? Are the FP metadata tags in there? Or, are you using the FrontPage validation scripts?

I understand that there are vulnerablities associated with running a server with FrontPage extensions, but I've never heard of them simply from producing HTML forms with FrontPage.

The only vulnerabilities I've seen over the years are problems caused by incorrect settings at the server level, not from the extensions themselves. Comments from IIS Admins would be appreciated in regards to this issue.

Is this right?

I don't think so. I'd have to ask the auditor to give me specific instances of where security is comprimised and how. A form is a form. Whether it is created in FrontPage, Dreamweaver or Notepad, it is still a <form></form>.

Does the form reside at an https address? That would surely decrease most of the security issues that may arise when it comes to passing variable data that might be of a secure nature.

pageoneresults




msg:940645		 6:02 pm on Jul 22, 2004 (gmt 0)

If you need to search Microsoft for any Security Bulletins relative to FrontPage Server Extensions and/or FrontPage Forms, you can start here...

Microsoft Security Bulletin Search [microsoft.com]

mikegram




msg:940646		 10:49 pm on Jul 22, 2004 (gmt 0)

Thanks. That's what I thought. Was looking for some assurances from someone before saying so.

They determined the generator through meta tags which I plan to remove since they advise it. The form connects via https:// secured socket layer. The server is not a MicroSoft server and is not running FrontPage extensions. I'm pretty familiar with forms code and it just looks like a plain old form to me.

Thanks again.

pageoneresults




msg:940647		 11:06 pm on Jul 22, 2004 (gmt 0)

The server is not a MicroSoft server and is not running FrontPage extensions.

As long as there is no FP functionality attached to that form, you'll be fine on a server without extensions. If you see any <webbot> validation code, it will not work on the server without the FP extensions installed.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / WYSIWYG and Text Code Editors
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
WebmasterWorld ® and PubCon ® are a Registered Trademarks of Pubcon Inc.
© Pubcon Inc. 1996-2012 all rights reserved