MS06-017: FrontPage fpadmdll.dll Multiple Parameter XSS (917627)

medium Nessus Plugin ID 21247

Synopsis

The remote web server contains a server extension that is affected by a cross-site scripting vulnerability.

Description

The version of Microsoft FrontPage Server Extensions 2002 / SharePoint Team Services on the remote host is affected by a cross-site scripting (XSS) vulnerability due to improper sanitization of user-supplied input to the 'operation', 'command', and 'name' parameters to file /_vti_bin/_vti_adm/fpadmdll.dll before using the input to generate dynamic HTML. A remote attacker can exploit this issue to cause arbitrary HTML and script code to be executed in a user's browser session in the context of the affected website.

Solution

Microsoft has released a set of patches for Frontapage 2002 for XP and 2003.

See Also

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-017

Plugin Details

Severity: Medium

ID: 21247

File Name: frontpage_fpadmdll_xss.nasl

Version: 1.30

Type: local

Agent: windows

Published: 4/21/2006

Updated: 11/15/2018

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:frontpage_server_extensions

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/11/2006

Reference Information

CVE: CVE-2006-0015

BID: 17452

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990

MSFT: MS06-017

MSKB: 908981, 911701, 911831