Press CTRL-D to bookmark us
Welcome Guest Login / Register / Members
Search in  
Top Submit newsSubscribe
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
 

 Sponsored links

Want to become one of our authors and see your work published on ALLSeek.iNFO ?
 
 Microsoft FrontPage Server Extensions Buffer Overflow May Let Remote Users Execute Arbitrary Code
Categorie: Vulnerability
Posted: 2003-11-12 by ReCall
Views: 429
Source: Click here
 		Current Rating: Not rated
Poor Best
 Details
Description: Two vulnerabilities were reported in Microsoft FrontPage Server Extensions (FPSE). A remote user can execute arbitrary code on a target user's system or cause denial of service conditions.

It is reported that there is a buffer overflow in the remote debug functionality of FPSE [CVE: CAN-2003-0822]. Due to a flaw in one of the DLL files, a remote user can send a specially crafted packet to the FrontPage Server Extensions to execute arbitrary code with Local System privileges.

It is also reported that there is a flaw in the SmartHTML interpreter. A remote user can make a particular type of invalid request to FPSE to cause a target server running Front Page Server Extensions to temporarily stop responding to requests [CVE: CAN-2003- 0824]. The remote user can cause the SmartHTML interpreter to temporarily cycle, consuming all CPU resources for a temporary period of time.

Microsoft reports that Windows 2000 SP4 is not affected by either flaw. Also, FrontPage Server Extensions are not configured by default on Windows XP and Windows NT 4.0.

Microsoft SharePoint Team Services on Windows XP is also affected [a separate Alert will be issued for SharePoint].

Microsoft credits Brett Moore of Security-Assessment.com with reporting these flaws.

Impact: A remote user can execute arbitrary code on the target system with Local System privileges.


A remote user can cause denial of service conditions on the target system, causing the system to consume all available CPU resources for a temporary period of time.

Solution: Microsoft has issued the following fixes:


Microsoft FrontPage Server Extensions 2000:

http://www.microsoft.com/downloads/details.aspx?FamilyId=C84C3D10-A821-4819-BF5 8-D3BC70A77BFA&displaylang=en

Microsoft FrontPage Server Extensions 2000 (Shipped with Windows 2000):

http://www.microsoft.com/downloads/details.aspx?FamilyId=057D5 F0E-0E2B-47D2-9F0F-3B15DD8622A2&displaylang=en

Microsoft FrontPage Server Extensions 2000 (Shipped with Windows XP):

http://www.microsoft.com/downloads/details.aspx ?FamilyId=9B302532-BFAB-489B-82DC-ED1E49A16E1C&displaylang=en

Microsoft FrontPage Server Extensions 2002:

http://www.microsoft.com/downloads/details.aspx?FamilyId=3 E8A21D9-708E-4E69-8299-86C49321EE25&displaylang=en

Microsoft plans to include this fix in any future Service Pack for Office XP.

This update supercedes the security updates contained in the MS01-035 and MS02-053 security bulletins.

As part of this fix, Microsoft has removed the remote debugging functionality, as the function is no longer supported (Terminal Server can be used for remote debugging, the report said).

See the Microsoft advisory for a list of workarounds and a description of installation options:

http://www.microsoft.com/technet/security/bulletin/MS03-051.asp
 
Syndication
Permalink Email this

The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=528

User comments (post your comments here)

Only registerd members can post comments and articles
 
Previous articleBack to news listNext article
 


InterJOB.su
Bookmark us | Set As Homepage | Advertising | Contact Us | Recomend us | Link us | Links | Terms

SpyLOG Page Rank Checker
LAST QUERIES