FreeBSD : frontpage -- XSS vulnerability (c0171f59-ea8a-11da-be02-000c6ec775d9)
Medium Nessus Plugin ID 21591
SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionEsteban Martinez Fayo reports :
The FrontPage Server Extensions 2002 (included in Windows Sever 2003 IIS 6.0 and available as a separate download for Windows 2000 and XP) has a web page /_vti_bin/_vti_adm/fpadmdll.dll that is used for administrative purposes. This web page is vulnerable to cross site scripting attacks allowing an attacker to run client-side script on behalf of an FPSE user. If the victim is an administrator, the attacker could take complete control of a Front Page Server Extensions 2002 server.
To exploit the vulnerability an attacker can send a specially crafted e-mail message to a FPSE user and then persuade the user to click a link in the e-mail message.
In addition, this vulnerability can be exploited if an attacker hosts a malicious website and persuade the user to visit it.
SolutionUpdate the affected packages.