File Access Vulnerability in Personal Web Server
ID: Q217763
|
The information in this article applies to:
-
Microsoft Personal Web Server version 4.0 for Windows 95
-
Microsoft FrontPage 97 for Windows
-
Microsoft FrontPage 98 for Windows
-
Microsoft Windows 98
SYMPTOMS
When you use either Microsoft Personal Web Server or Microsoft FrontPage Personal Web Server (PWS) on a computer running Microsoft Windows 95 or Windows 98, it may be possible for an unauthorized user to read or copy files from your computer using basic Internet browser software. The unauthorized user must request the file using a specific, non-standard URL, and must know or correctly guess the name of the file. Files cannot be modified or deleted, and new files cannot be written to the server.
RESOLUTION
This issue may affect two different products with similar names: Personal Web Server and FrontPage Personal Web Server.
- Personal Web Server is available as part of Microsoft Windows NT 4.0 Option Pack (NTOP), Windows 98, and Windows 95 OEM Service Release 2.
The Personal Web Server 4.0 program included with NTOP and the Windows 98 version of Personal Web Server 4.0 are affected by this issue.
The Personal Web Server program included with Windows 95 OEM Service Release 2 is not affected. No other version of Personal Web Server (on any platform) is affected.
- FrontPage Personal Web Server is available as part of FrontPage 1.1, FrontPage 97, and FrontPage 98 and is affected by this issue. However, FrontPage 97 and FrontPage 98 users may not have FrontPage Personal Web Server installed. By default, FrontPage 97 and FrontPage 98 install Personal Web Server 2.0, which is not affected by this issue.
How to Determine If You Are Using Personal Web Server 4.0
- Right-click the Personal Web Server icon on the right side of the taskbar, and then click Properties.
-
If the Personal Web Manager dialog box appears, you have Personal Web Server version 4.0 installed and are affected by this issue. If the dialog box has any other title, you are not running PWS version 4.0 and you are not affected. You do not need the patch described in this article.
If you have Personal Web Server 4.0 installed on a computer running Windows 95 or Windows 98, you should obtain the latest Personal Web Server 4.0 security patch.
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name Platform
------------------------------------------------------------------
02/18/99 04:01pm 4.02.0685 328,000 Asp.dll Win95/98
02/18/99 04:00pm 4.02.0685 55,392 Httpodbc.dll Win95/98
02/18/99 03:59pm 4.02.0685 62,432 Iislog.dll Win95/98
02/18/99 03:59pm 4.02.0685 184,208 Infocomm.dll Win95/98
02/18/99 03:59pm 4.02.0685 29,520 Iscomlog.dll Win95/98
02/18/99 04:00pm 4.02.0685 11,248 Iwrps.dll Win95/98
02/18/99 03:58pm 4.02.0685 71,232 Metadata.dll Win95/98
02/18/99 04:00pm 4.02.0685 227,424 W3svc.dll Win95/98
02/18/99 03:59pm 4.02.0685 87,504 Wam.dll Win95/98
The following file is available for download from the Microsoft
Software Library:
Pwssecup.exe
Release Date: Mar-25-1999
For more information about downloading files from the Microsoft Software
Library, please see the following article in the Microsoft Knowledge Base:
Q119591 How to Obtain Microsoft Support Files from Online Services
How to Determine If You Are Using FrontPage Personal Web Server
- After starting FrontPage, click Open FrontPage Web on the File menu, click More Webs, and then click List Webs.
-
If you have FrontPage Personal Web Server installed, a taskbar icon named "Web Server idle" appears on the taskbar. If the icon does not appear on the taskbar, you do not have FrontPage Personal Web Server installed.
To Apply the Patch
- If you are using FrontPage 1.1 or FrontPage 97, and you have FrontPage Personal Web Server installed, please see the following article in the Microsoft Knowledge Base:
Q217765 FP97: Security Patch for FrontPage Personal Web Server
- If you are using FrontPage 98, and you have FrontPage Personal Web Server installed, please see the following article in the Microsoft Knowledge Base:
Q216453 FP98: Security Patch for FrontPage Personal Web Server
If you experience difficulties installing the patch or require technical assistance with the patch, please contact Microsoft Product Support Services. For information about contacting Microsoft Product Support Services, please visit the following Microsoft Web site:
http://support.microsoft.com/support/contact/default.asp
NOTE: Personal Web Server (all versions) running on Microsoft Windows NT 4.0 is not affected by this issue.
STATUS
Microsoft has confirmed this to be a problem in the Microsoft products listed
at the beginning of this article.
MORE INFORMATION
For more information about this vulnerability, please see the following Microsoft Web site:
http://www.microsoft.com/security/bulletins/ms99-010.asp
For additional security-related information about Microsoft products, please visit the following Microsoft Web site:
http://www.microsoft.com/security
Additional query words:
Keywords : kbinterop kbnetwork kbInternet
Version : WINDOWS:4.0
Platform : WINDOWS
Issue type : kbbug
Last Reviewed: March 27, 1999