Frontpage authors.pwd available
Description
The Microsoft FrontPage Server Extensions configuration file '_vti_pvt/authors.pwd' is publicly accessible via web requests. This file is part of the FrontPage administrative directory structure and may contain usernames, password hashes, and other authentication credentials used for site administration. The file should be protected by default but may become exposed due to misconfigured web server permissions or directory access controls.
Remediation
Immediately restrict access to the '_vti_pvt' directory and its contents by implementing the following measures:
1. Configure web server access controls to deny all HTTP/HTTPS requests to the '_vti_pvt' directory. For IIS servers, ensure the directory has appropriate NTFS permissions (remove read access for IUSR and IIS_IUSRS accounts).
2. Add explicit deny rules in your web server configuration. For IIS, use web.config:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="_vti_pvt" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>3. If FrontPage Server Extensions are no longer needed, completely remove them from the server.
4. After remediation, verify the file is inaccessible by attempting to access it via a web browser and confirm a 403/404 error is returned.