File Access Vulnerability in Personal Web Server

ID: Q217763

The information in this article applies to:

Microsoft Personal Web Server version 4.0 for Windows 95
Microsoft FrontPage 97 for Windows
Microsoft FrontPage 98 for Windows
Microsoft Windows 98

SYMPTOMS

When you use either Microsoft Personal Web Server or Microsoft FrontPage Personal Web Server (PWS) on a computer running Microsoft Windows 95 or Windows 98, it may be possible for an unauthorized user to read or copy files from your computer using basic Internet browser software. The unauthorized user must request the file using a specific, non-standard URL, and must know or correctly guess the name of the file. Files cannot be modified or deleted, and new files cannot be written to the server.

RESOLUTION

This issue may affect two different products with similar names: Personal Web Server and FrontPage Personal Web Server.

Personal Web Server is available as part of Microsoft Windows NT 4.0 Option Pack (NTOP), Windows 98, and Windows 95 OEM Service Release 2.

The Personal Web Server 4.0 program included with NTOP and the Windows 98 version of Personal Web Server 4.0 are affected by this issue.

The Personal Web Server program included with Windows 95 OEM Service Release 2 is not affected. No other version of Personal Web Server (on any platform) is affected.

FrontPage Personal Web Server is available as part of FrontPage 1.1, FrontPage 97, and FrontPage 98 and is affected by this issue. However, FrontPage 97 and FrontPage 98 users may not have FrontPage Personal Web Server installed. By default, FrontPage 97 and FrontPage 98 install Personal Web Server 2.0, which is not affected by this issue.

How to Determine If You Are Using Personal Web Server 4.0

Right-click the Personal Web Server icon on the right side of the taskbar, and then click Properties.

If the Personal Web Manager dialog box appears, you have Personal Web Server version 4.0 installed and are affected by this issue. If the dialog box has any other title, you are not running PWS version 4.0 and you are not affected. You do not need the patch described in this article.

If you have Personal Web Server 4.0 installed on a computer running Windows 95 or Windows 98, you should obtain the latest Personal Web Server 4.0 security patch.

The English version of this fix should have the following file attributes or later:


   Date       Time      Version     Size      File name      Platform
   ------------------------------------------------------------------
   02/18/99   04:01pm   4.02.0685   328,000   Asp.dll        Win95/98
   02/18/99   04:00pm   4.02.0685    55,392   Httpodbc.dll   Win95/98
   02/18/99   03:59pm   4.02.0685    62,432   Iislog.dll     Win95/98
   02/18/99   03:59pm   4.02.0685   184,208   Infocomm.dll   Win95/98
   02/18/99   03:59pm   4.02.0685    29,520   Iscomlog.dll   Win95/98
   02/18/99   04:00pm   4.02.0685    11,248   Iwrps.dll      Win95/98
   02/18/99   03:58pm   4.02.0685    71,232   Metadata.dll   Win95/98
   02/18/99   04:00pm   4.02.0685   227,424   W3svc.dll      Win95/98
   02/18/99   03:59pm   4.02.0685    87,504   Wam.dll        Win95/98

The following file is available for download from the Microsoft Software Library:

Pwssecup.exe

Release Date: Mar-25-1999

For more information about downloading files from the Microsoft Software Library, please see the following article in the Microsoft Knowledge Base:

Q119591 How to Obtain Microsoft Support Files from Online Services

How to Determine If You Are Using FrontPage Personal Web Server

After starting FrontPage, click Open FrontPage Web on the File menu, click More Webs, and then click List Webs.

If you have FrontPage Personal Web Server installed, a taskbar icon named "Web Server idle" appears on the taskbar. If the icon does not appear on the taskbar, you do not have FrontPage Personal Web Server installed.

To Apply the Patch

If you are using FrontPage 1.1 or FrontPage 97, and you have FrontPage Personal Web Server installed, please see the following article in the Microsoft Knowledge Base:
Q217765 FP97: Security Patch for FrontPage Personal Web Server
If you are using FrontPage 98, and you have FrontPage Personal Web Server installed, please see the following article in the Microsoft Knowledge Base:
Q216453 FP98: Security Patch for FrontPage Personal Web Server

If you experience difficulties installing the patch or require technical assistance with the patch, please contact Microsoft Product Support Services. For information about contacting Microsoft Product Support Services, please visit the following Microsoft Web site:

http://support.microsoft.com/support/contact/default.asp

NOTE: Personal Web Server (all versions) running on Microsoft Windows NT 4.0 is not affected by this issue.

STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.

MORE INFORMATION

For more information about this vulnerability, please see the following Microsoft Web site:

http://www.microsoft.com/security/bulletins/ms99-010.asp

For additional security-related information about Microsoft products, please visit the following Microsoft Web site:

http://www.microsoft.com/security

Additional query words:


Keywords          : kbinterop kbnetwork kbInternet 
Version           : WINDOWS:4.0
Platform          : WINDOWS 
Issue type        : kbbug

Last Reviewed: March 27, 1999