Welcome to WebmasterWorld Guest from 184.73.66.157

Forum Moderators: open

Message Too Old, No Replies

FrontPage Produced Pages Secure?

Auditors Cite Security Vulnerabilities

     
5:43 pm on Jul 22, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 4, 2002
posts:60
votes: 0


We have a couple of FrontPage produced forms on our company site. The site itself actually runs on an IBM mainframe with iPlanet server.

An external auditor writes in his report of our site: "Since there are numberous vulnerablilities linked to pages produced by the FrontPage application..."

I understand that there are vulnerablities associated with running a server with FrontPage extensions, but I've never heard of them simply from producing HTML forms with FrontPage. Is this right?

5:48 pm on July 22, 2004 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 27, 2001
posts:12171
votes: 60


An external auditor writes in his report of our site: "Since there are numerous vulnerabilities linked to pages produced by the FrontPage application.

First off, how does the auditor know that these forms are generated by FrontPage? Are the FP metadata tags in there? Or, are you using the FrontPage validation scripts?

I understand that there are vulnerablities associated with running a server with FrontPage extensions, but I've never heard of them simply from producing HTML forms with FrontPage.

The only vulnerabilities I've seen over the years are problems caused by incorrect settings at the server level, not from the extensions themselves. Comments from IIS Admins would be appreciated in regards to this issue.

Is this right?

I don't think so. I'd have to ask the auditor to give me specific instances of where security is comprimised and how. A form is a form. Whether it is created in FrontPage, Dreamweaver or Notepad, it is still a

<form></form>
.

Does the form reside at an https address? That would surely decrease most of the security issues that may arise when it comes to passing variable data that might be of a secure nature.

6:02 pm on July 22, 2004 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 27, 2001
posts:12171
votes: 60


If you need to search Microsoft for any Security Bulletins relative to FrontPage Server Extensions and/or FrontPage Forms, you can start here...

Microsoft Security Bulletin Search [microsoft.com]

10:49 pm on July 22, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 4, 2002
posts:60
votes: 0


Thanks. That's what I thought. Was looking for some assurances from someone before saying so.

They determined the generator through meta tags which I plan to remove since they advise it. The form connects via https:// secured socket layer. The server is not a MicroSoft server and is not running FrontPage extensions. I'm pretty familiar with forms code and it just looks like a plain old form to me.

Thanks again.

11:06 pm on July 22, 2004 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 27, 2001
posts:12171
votes: 60


The server is not a MicroSoft server and is not running FrontPage extensions.

As long as there is no FP functionality attached to that form, you'll be fine on a server without extensions. If you see any

<webbot>
validation code, it will not work on the server without the FP extensions installed.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members