File Access Vulnerability in Personal Web Server

ID: Q217763


The information in this article applies to:


SYMPTOMS

When you use either Microsoft Personal Web Server or Microsoft FrontPage Personal Web Server (PWS) on a computer running Microsoft Windows 95 or Windows 98, it may be possible for an unauthorized user to read or copy files from your computer using basic Internet browser software. The unauthorized user must request the file using a specific, non-standard URL, and must know or correctly guess the name of the file. Files cannot be modified or deleted, and new files cannot be written to the server.


RESOLUTION

This issue may affect two different products with similar names: Personal Web Server and FrontPage Personal Web Server.

How to Determine If You Are Using Personal Web Server 4.0

  1. Right-click the Personal Web Server icon on the right side of the taskbar, and then click Properties.


  2. If the Personal Web Manager dialog box appears, you have Personal Web Server version 4.0 installed and are affected by this issue. If the dialog box has any other title, you are not running PWS version 4.0 and you are not affected. You do not need the patch described in this article.


If you have Personal Web Server 4.0 installed on a computer running Windows 95 or Windows 98, you should obtain the latest Personal Web Server 4.0 security patch.

The English version of this fix should have the following file attributes or later:

   Date       Time      Version     Size      File name      Platform
   ------------------------------------------------------------------
   02/18/99   04:01pm   4.02.0685   328,000   Asp.dll        Win95/98
   02/18/99   04:00pm   4.02.0685    55,392   Httpodbc.dll   Win95/98
   02/18/99   03:59pm   4.02.0685    62,432   Iislog.dll     Win95/98
   02/18/99   03:59pm   4.02.0685   184,208   Infocomm.dll   Win95/98
   02/18/99   03:59pm   4.02.0685    29,520   Iscomlog.dll   Win95/98
   02/18/99   04:00pm   4.02.0685    11,248   Iwrps.dll      Win95/98
   02/18/99   03:58pm   4.02.0685    71,232   Metadata.dll   Win95/98
   02/18/99   04:00pm   4.02.0685   227,424   W3svc.dll      Win95/98
   02/18/99   03:59pm   4.02.0685    87,504   Wam.dll        Win95/98 
The following file is available for download from the Microsoft Software Library:
Pwssecup.exe
Release Date: Mar-25-1999

For more information about downloading files from the Microsoft Software Library, please see the following article in the Microsoft Knowledge Base:
Q119591 How to Obtain Microsoft Support Files from Online Services

How to Determine If You Are Using FrontPage Personal Web Server

  1. After starting FrontPage, click Open FrontPage Web on the File menu, click More Webs, and then click List Webs.


  2. If you have FrontPage Personal Web Server installed, a taskbar icon named "Web Server idle" appears on the taskbar. If the icon does not appear on the taskbar, you do not have FrontPage Personal Web Server installed.


To Apply the Patch

If you experience difficulties installing the patch or require technical assistance with the patch, please contact Microsoft Product Support Services. For information about contacting Microsoft Product Support Services, please visit the following Microsoft Web site:
http://support.microsoft.com/support/contact/default.asp
NOTE: Personal Web Server (all versions) running on Microsoft Windows NT 4.0 is not affected by this issue.


STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.


MORE INFORMATION

For more information about this vulnerability, please see the following Microsoft Web site:

http://www.microsoft.com/security/bulletins/ms99-010.asp
For additional security-related information about Microsoft products, please visit the following Microsoft Web site:
http://www.microsoft.com/security

Additional query words:


Keywords          : kbinterop kbnetwork kbInternet 
Version           : WINDOWS:4.0
Platform          : WINDOWS 
Issue type        : kbbug 

Last Reviewed: March 27, 1999