FP97: Security Patch for FrontPage Personal Web Server

ID: q217765

The information in this article applies to:

SYMPTOMS

If you use FrontPage Personal Web Server 1.0 (Vhttpd32.exe version 2.0.2.xxxx) on Microsoft Windows 95 or Windows 98 operating systems, your web is vulnerable to unauthorized users accessing your files using a specific non-standard URL. The unauthorized users would have to know the exact file name to access it.

If you are using FrontPage Personal Web Server on Microsoft Windows NT, you are not affected.

Most users of Microsoft FrontPage are not affected as the FrontPage Personal Web Server is available on the FrontPage CD, but was only installed with FrontPage 1.1. Subsequent versions of FrontPage installed Microsoft Personal Web Server 2.0, which is not affected by this issue.


CAUSE

This vulnerability involves the ability of a malicious user to bypass the server's normal file access controls by typing a non-standard URL. The file must be specifically requested by name, so the malicious user would need to already know the name of the file, or correctly guess it. The vulnerability only affects users that host their own Web site with FrontPage Personal Web Server 1.0 (vhttpd32.exe version 2.0.2.xxxx).


RESOLUTION

Method 1: Upgrade to Microsoft Personal Web Server 4.0

If you do not need remote authoring support, it is recommended that you upgrade to Microsoft Personal Web Server 4.0 and install the patch for this web server.

For more information about downloading Microsoft Personal Web Server 4, please see the following Microsoft World Wide Web site:
http://www.microsoft.com/windows/ie/pws/default.htm
You may download the patch from the following Microsoft Support Site:
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe

Method 2: Install New Extensions and Patch

If you need the ability to remotely author a web, follow these stes:
  1. Download the latest extensions from the following Microsoft Office Update site:
    http://officeupdate.microsoft.com/isapi/goftp.asp?TARGET=/products/frontpage/fp98ext_x86_enu.exe


  2. Run the file to install it.


  3. Locate and open the Frontpg.ini file.


  4. In the [FrontPage 3.0] section add the following line:
    
PWSRoot=c:\FrontPage Webs


  5. Save and close the file.


  6. Download the FrontPage Personal Web Server patch from the following Microsoft Office Update site:
    http://premium.officeupdate.microsoft.com/download/officeupdate/fppws98.exe


  7. Run the file to install it



MORE INFORMATION

For more information about this vulnerability, please see the following Microsoft Web site:

http://www.microsoft.com/security/bulletins/ms99-010.asp
For additional security related information about Microsoft products, please visit the Web site at:
http://www.microsoft.com/security

Additional query words: front page fix add-on add on update 


Keywords          : kbdta 
Version           : WINDOWS:97
Platform          : WINDOWS 
Issue type        :

Last Reviewed: July 1, 1999