Microsoft KB Archive/217765

= FP97: Your Web Is Vulnerable If You Use FrontPage Personal Web Server 1.0 Without the Patch =

Article ID: 217765

Article Last Modified on 7/4/2007

-

APPLIES TO

 Microsoft FrontPage 97 Standard Edition, when used with:  Microsoft Windows 95

 Microsoft Windows 98 Standard Edition 

-



This article was previously published under Q217765



SYMPTOMS
If you use FrontPage Personal Web Server 1.0 (Vhttpd32.exe version 2.0.2.xxxx) on Microsoft Windows 95 or Microsoft Windows 98, your Web is vulnerable to unauthorized users who may access your files by using a specific non-standard URL. The unauthorized users must know the exact file name to access the file.

If you are using FrontPage Personal Web Server on Microsoft Windows NT 4.0, this problem does not affect you.

Most users of Microsoft FrontPage are not affected, because the FrontPage Personal Web Server is available on the FrontPage CD, but was only installed with FrontPage 1.1. Subsequent versions of FrontPage installed Microsoft Personal Web Server 2.0, which is not affected by this issue.



CAUSE
This vulnerability involves the ability of a malicious user to bypass the server's normal file access controls by typing a non-standard URL. The file must be specifically requested by name, so the malicious user must already know the name of the file or correctly guess the name. The vulnerability only affects users who host their own Web site with FrontPage Personal Web Server 1.0 (vhttpd32.exe version 2.0.2.xxxx).



RESOLUTION
To resolve this problem, use one of the following methods.

Method 1: Upgrade to Microsoft Personal Web Server 4.0
If you do not need remote authoring support, Microsoft recommends that you upgrade to Microsoft Personal Web Server 4.0 and install the patch for this Web server.

For more information about downloading Microsoft Personal Web Server 4, see the following Microsoft Web site.

NOTE: Microsoft Personal Web Server 4 is installed by Windows NT 4.0 Option Pack for Windows 95.

http://www.microsoft.com/downloads/details.aspx?FamilyID=05c301d2-51f6-4cc1-b750-02f3c3141a71&displaylang=en

You can download the patch from the Microsoft Download Center. The following file is available for download from the Microsoft Download Center:

Download Pwssecup.exe now

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Method 2: Install New Extensions and the Patch
If you need to remotely author a Web, follow these steps: <ol> Download the latest extensions from Microsoft Web site.</li> Run the file to install it.</li> Locate and open the Frontpg.ini file. This file should be located in your Windows folder.</li>  In the [FrontPage 3.0] section, add the following line: PWSRoot=c:\FrontPage Webs </li> Save and close the file.</li> Download the FrontPage Personal Web Server patch from the following Microsoft Web site:The following file is available for download from the Microsoft Download Center:

Download Fppws98.exe now

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

</li> Run the file to install it.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
For more information about this vulnerability, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/Bulletin/MS99-010.mspx

For additional security related information about Microsoft products, please visit the Web site at:

http://www.microsoft.com/security

Additional query words: front page fix add-on add on update

Keywords: kbdownload kbprb KB217765

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.