Microsoft KB Archive/259799

= FP98: FrontPage 98 Server Extensions DLL Exposes Security Vulnerability =

Article ID: 259799

Article Last Modified on 6/15/2004

-

APPLIES TO


 * Microsoft FrontPage 98 Standard Edition

-



This article was previously published under Q259799



SYMPTOMS
The Dvwssr.dll file, which is included in several Web server products, does not perform access-control checks correctly. Because of this, there is a possibility that a user with Web Authoring permissions on a Web site can view ASP files that belong to other Web sites hosted on the same computer, if that user has read permissions on those files.

NOTE: This problem only occurs on a computer that is running Microsoft Internet Information Server (IIS). This problem does not occur when you run the FrontPage 98 Server Extensions on a UNIX-based Web server.



RESOLUTION
To eliminate this vulnerability, delete all copies of the Dvwssr.dll file from your computer. When you do this, the only functionality that is lost is the ability to generate a link view by using Visual InterDev 1.0. In the FrontPage 98 Server Extensions, the DLL is found in the following location:

_vti_bin\_vti_aut\Dvwssr.dll

Other resolutions for this issue include the following:
 * Upgrade to FrontPage 2000 Server Extensions.
 * Install Office 2000 Server Extensions.
 * Upgrade from Microsoft Windows NT 4.0 Server to Microsoft Windows 2000.



STATUS
Microsoft has confirmed that this is a problem in Microsoft FrontPage 98 for Windows.



MORE INFORMATION
The Dvwssr.dll file is included with FrontPage 98, the FrontPage 98 Server Extensions, and the Windows NT 4.0 Option Pack (which also includes the FrontPage 98 Server Extensions). The Dvwssr.dll file is not included with FrontPage 2000, the FrontPage 2000 Server Extensions, Windows 2000, or Microsoft Internet Information Services 5.0.

The Dvwssr.dll file is a server-side component that enables access to files on the server for the Link View feature in Visual Interdev 97 (Visual Interdev 1.0). Access to the DLL is permitted to users who have Web Authoring permissions on any FrontPage Web on the server. Therefore, a user can use this DLL to view files on other FrontPage Webs on the same server that they do not have permissions to, provided that the user knows the location of the file.

Upgrading from the Windows NT 4.0 Option Pack to Windows 2000 removes the DLL from active use in the Web. The DLL is still on the system in the Program Files/Microsoft FrontPage directory, but the file is no longer accessible through HTTP, which eliminates the security vulnerability.

There are some significant restrictions to this vulnerability, as follows:
 * Only servers that are hosting multiple Web sites can be affected.
 * Only a user who has Web Authoring permissions on at least one site on the server can request a file. That user also needs to know the name and location of the file on the server.
 * Only ASP files (and the Global.asa file, which is a special-case ASP file) can be retrieved.
 * The files are only sent if the user who requests the files has read permissions on them. In most cases, this means that the files have read permissions granted to the Everyone group.

Affected Software and Versions
The affected component is part of Visual Interdev 1.0. However, it is a server-side component and is included in the following products:
 * Windows NT 4.0 Option Pack
 * Personal Web Server 4.0, which is included with Microsoft Windows 95 and Microsoft Windows 98

For more information about this issue, please see the following references:

Frequently Asked Questions: Microsoft Security Bulletin MS00-025

Microsoft TechNet Security Web site

Additional query words: front page fp98

Keywords: kbbug kbpending KB259799

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.