Comments

Pages

Showing posts with label tips. Show all posts
Showing posts with label tips. Show all posts

Friday, May 13, 2011

Many Security Holes in the Microsoft Frontpage extensions

In recent days we noticed that many people suffering for hacking activities with their site, and they migrate on CentrioHost only to prevent their site from being hacked. We already post some article for them how to prevent site hacking. We just recently noticed that web-hosts offering FrontPage Extensions on their site also get hacked now-a-days :( Here we explain about this issues....
 
 
First of all, Frontpage is brain damaged (just have to set the stage).

Ok, Frontpage works like this when you want to publish files:

It tries to GET "http://www.yourdomain.com/_vti_inf.html".  This file contains the version of the FP extensions and the path on the server where the extensions are located. When you use Frontpage to upload content, it will try and fetch this file, if it can, it then tries to POST to :
"http://www.yourdomain.com/_vti_bin/shtml.exe/_vti_rpc" (that's the default).

This server binary is not password protected, so it is able to post a query to it.  The first thing it does is just establish a protocol rev in which the client and server are going to talk, and what functions the server provides.

If you have any people using Frontpage, it's likely that they FTPed the _vti_inf.html from their home machine up to your site.  Then they tried to publish, and it tried HTTP first.  If HTTP fails, it just kicks over to FTP as the publishing protocol (and notifies the user that they can't use WebBots and stuff).

Incidentally, I have a passion to hate the FP extensions.  They are fundamentally stupid in nearly all respects of implementation.

Firsly, they maintain a crapload of meta files (one shadow for every file managed) then they have all of their config info in a bunch of text files in the _vti_pvt directory.  (Oh, BTW, there exists a very HUGE privacy hole in the FP extenstions).  If you go to a site that has FP extensions, just pick any directory in the URL, yank the filename off, and put "_vti_cnf" there instead...you'll get a complete listing of all the files in the real directory.  With this you can snatch files that weren't meant to be seen by the public...and it's available on ALL FP enabled sites.

Hmm, I've contributed a "privacy bug" now. :)

Want to know an even cooler hack?  Want to break into Frontpage enabled sites?

Just snarf the "administrators.pwd" and "authors.pwd" file in:

"http://www.yourdomain.com/_vti_pvt/administrators.pwd"

That'll net you the password file for the web.  Just convert it properly and run Crack on it to obtain a useful password for defacing web sites!

Want even more???

Frontpage 98 fucks up the permissions so bad that it makes the _vti_pvt directory WORLD WRITABLE!!! No shit, you can do whatever you want to stuff in that directory.

Hmm, I love incompetent nitwits that think they can buy someone elses crappy Unix shit and sell it as their own!!! :)

Oh, you know why all the directories begin with "VTI"???

"Vermeer Technology Inc". The people the M$ bought for Frontpage. :)
____________________________

Never Use FrontPage Extensions, your site can be easily hacked then !! We dont offer this Extensions, however if you migrate your site from other server, these files will be come to your new site from other host. Also if you upload with FrontPage software, its also makes these directory on your public_html folder and hackers can easily hack your site - Security Dept, CentrioHost.com

Friday, May 6, 2011

10 Tips - How to build a good website

If you want to promote your organisation or your project, you have to be on the web. Nowadays, it is the first resource that people turn to for information. These 10 useful tips can help you communicate what you want to say.
  

1. Define your audience. Fundamental, but many people forget it! What audience do you want to reach? Fellow scientists? Consortium partners? Potential investors? Journalists? Institutional bodies? The target audience determines what content you present.

2. Think about your content. Most of your visitors won't know the subject as well as you do, and have little time to spend reading! So keep it simple and short. Avoid jargon, be concise, focus on the successes and attract your audience by announcing exploitable developments or technologies and their potential benefits.

3. Plan a clear structure. This step is vital. The site should be easy to navigate. Produce a sitemap of your proposed web content. Visitors should ideally find information in 2-3 clicks maximum.

4. Make it look good. It sounds so basic, yet it matters! If it looks nice, people tend to give it more value. A good design reflects well on your organisation or project.

5. Limit graphic content. Multimedia can make your content more attractive, but don't overdo it. Use graphics only if they support your message - white space has proven to be important in communications. Too large images also slow page loading for people with poor connections.

6. Offer easily searchable content. Have a 'search engine' box on the front page. A number of tools can be found on the web to help you do this, including Google.

7. Update your content regularly. Sites with regularly changing content attract more visitors. Archive what’s out-of-date, update with new content, ensure that you don’t have broken links and add new functions.

8. Be media-friendly. Be ready to feed content to the media by preparing press releases, brochures, CVs of relevant contact people, info about key partners and addresses to be contacted. Put them in a 'Press' section on your site, and don't forget images also.

9. Make it interactive. Allow visitors to interact with the content author or producer. Host a discussion forum or start a blog – it may encourage visitors to drop in more often.

10. Domain name is important! Last but not least, today we remember website names as we used to remember phone numbers. So make sure that your domain name is easy to remember.

Monday, March 21, 2011

SecFilterEngine and SecFilterScanPOST

If you require hosting to have SecFilterEngine Off or SecFilterScanPOST Off, do not worry.
 
Those rules apply to Apache 1.x, but CentrioHost uses Apache 2.x.
 
We can't completely disable mod_sec, but we can find the rules blocking your scripts (403 error) and disable those rules. Thus, we can meet these requirements.
  
Simply contact CentrioHost via phone or live chat to report mod security blockage.
 

Blogger news

Blogroll

About