Welcome to WebmasterWorld Guest from 54.166.191.159

Forum Moderators: open

Message Too Old, No Replies

FrontPage Produced Pages Secure?

Auditors Cite Security Vulnerabilities

     
5:43 pm on Jul 22, 2004 (gmt 0)

10+ Year Member



We have a couple of FrontPage produced forms on our company site. The site itself actually runs on an IBM mainframe with iPlanet server.

An external auditor writes in his report of our site: "Since there are numberous vulnerablilities linked to pages produced by the FrontPage application..."

I understand that there are vulnerablities associated with running a server with FrontPage extensions, but I've never heard of them simply from producing HTML forms with FrontPage. Is this right?

5:48 pm on Jul 22, 2004 (gmt 0)

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member



An external auditor writes in his report of our site: "Since there are numerous vulnerabilities linked to pages produced by the FrontPage application.

First off, how does the auditor know that these forms are generated by FrontPage? Are the FP metadata tags in there? Or, are you using the FrontPage validation scripts?

I understand that there are vulnerablities associated with running a server with FrontPage extensions, but I've never heard of them simply from producing HTML forms with FrontPage.

The only vulnerabilities I've seen over the years are problems caused by incorrect settings at the server level, not from the extensions themselves. Comments from IIS Admins would be appreciated in regards to this issue.

Is this right?

I don't think so. I'd have to ask the auditor to give me specific instances of where security is comprimised and how. A form is a form. Whether it is created in FrontPage, Dreamweaver or Notepad, it is still a

<form></form>
.

Does the form reside at an https address? That would surely decrease most of the security issues that may arise when it comes to passing variable data that might be of a secure nature.

6:02 pm on Jul 22, 2004 (gmt 0)

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member



If you need to search Microsoft for any Security Bulletins relative to FrontPage Server Extensions and/or FrontPage Forms, you can start here...

Microsoft Security Bulletin Search [microsoft.com]

10:49 pm on Jul 22, 2004 (gmt 0)

10+ Year Member



Thanks. That's what I thought. Was looking for some assurances from someone before saying so.

They determined the generator through meta tags which I plan to remove since they advise it. The form connects via https:// secured socket layer. The server is not a MicroSoft server and is not running FrontPage extensions. I'm pretty familiar with forms code and it just looks like a plain old form to me.

Thanks again.

11:06 pm on Jul 22, 2004 (gmt 0)

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member



The server is not a MicroSoft server and is not running FrontPage extensions.

As long as there is no FP functionality attached to that form, you'll be fine on a server without extensions. If you see any

<webbot>
validation code, it will not work on the server without the FP extensions installed.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month