Microsoft KB Archive/217763

= File access vulnerability in Personal Web Server =

Article ID: 217763

Article Last Modified on 3/29/2007

-

APPLIES TO


 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Personal Web Server 4.0
 * Microsoft FrontPage 97 Standard Edition
 * Microsoft FrontPage 98 Standard Edition
 * Microsoft Windows 98 Standard Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-



This article was previously published under Q217763



SYMPTOMS
When you use either Microsoft Personal Web Server or Microsoft FrontPage Personal Web Server (PWS) on a computer running Microsoft Windows 95, Windows 98, or Windows NT 4.0, it may be possible for an unauthorized user to read or copy files from your computer using basic Internet browser software. The unauthorized user must request the file using a specific, non-standard URL, and must know or correctly guess the name of the file. Files cannot be modified or deleted, and new files cannot be written to the server.



Windows NT Server or Workstation 4.0
This issue may affect two different products with similar names: Personal Web Server and FrontPage Personal Web Server.
 * Personal Web Server is available as part of Microsoft Windows NT 4.0 Option Pack (NTOP), Windows 98, and Windows 95 OEM Service Release 2.

The Personal Web Server 4.0 program included with NTOP and the Windows 98 version of Personal Web Server 4.0 are affected by this issue.

The Personal Web Server program included with Windows 95 OEM Service Release 2 is not affected. No other version of Personal Web Server (on any platform) is affected.
 * FrontPage Personal Web Server is available as part of FrontPage 1.1, FrontPage 97, and FrontPage 98 and is affected by this issue. However, FrontPage 97 and FrontPage 98 users may not have FrontPage Personal Web Server installed. By default, FrontPage 97 and FrontPage 98 install Personal Web Server 2.0, which is not affected by this issue.

How to Determine If You Are Using Personal Web Server 4.0

 * 1) Right-click the Personal Web Server icon on the right side of the taskbar, and then click Properties.
 * 2) If the Personal Web Manager dialog box appears, you have Personal Web Server version 4.0 installed and are affected by this issue. If the dialog box has any other title, you are not running PWS version 4.0 and you are not affected. You do not need the patch described in this article.

If you have Personal Web Server 4.0 installed on a computer running Windows 95 or Windows 98, you should obtain the latest Personal Web Server 4.0 security patch.

The English version of this fix should have the following file attributes or later:

  Date       Time      Version     Size      File name      Platform --  02/18/99   04:01pm   4.02.0685   328,000   Asp.dll        Win95/98 02/18/99  04:00pm   4.02.0685    55,392   Httpodbc.dll   Win95/98 02/18/99  03:59pm   4.02.0685    62,432   Iislog.dll     Win95/98 02/18/99  03:59pm   4.02.0685   184,208   Infocomm.dll   Win95/98 02/18/99  03:59pm   4.02.0685    29,520   Iscomlog.dll   Win95/98 02/18/99  04:00pm   4.02.0685    11,248   Iwrps.dll      Win95/98 02/18/99  03:58pm   4.02.0685    71,232   Metadata.dll   Win95/98 02/18/99  04:00pm   4.02.0685   227,424   W3svc.dll      Win95/98 02/18/99  03:59pm   4.02.0685    87,504   Wam.dll        Win95/98 You can download the patch from the Microsoft Download Center.

The following file is available for download from the Microsoft Download Center:

Download Pwssecup.exe now

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. If you have Personal Web Server 4.0 installed on a computer running Windows NT 4.0:

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or the individual software update. For information on obtaining the latest service pack, please go to:


 * http://www.microsoft.com/windows/servicepacks/ -or-


 * 152734 how to obtain the latest windows nt 4.0 service pack

For information on obtaining the individual software update, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

How to Determine If You Are Using FrontPage Personal Web Server

 * 1) After starting FrontPage, click Open FrontPage Web on the File menu, click More Webs, and then click List Webs.
 * 2) If you have FrontPage Personal Web Server installed, a taskbar icon named "Web Server idle" appears on the taskbar. If the icon does not appear on the taskbar, you do not have FrontPage Personal Web Server installed.

To Apply the Patch
 If you are using FrontPage 1.1 or FrontPage 97, and you have FrontPage Personal Web Server installed, please see the following article in the Microsoft Knowledge Base:

217765 FP97: Security Patch for FrontPage Personal Web Server

 If you are using FrontPage 98, and you have FrontPage Personal Web Server installed, please see the following article in the Microsoft Knowledge Base:

216453 FP98: Security Patch for FrontPage Personal Web Server



If you experience difficulties installing the patch or require technical assistance with the patch, please contact Microsoft Product Support Services. For information about contacting Microsoft Product Support Services, please visit the following Microsoft Web site:

http://support.microsoft.com/contactus/

NOTE: Personal Web Server (all versions) running on Microsoft Windows NT 4.0 is not affected by this issue.

Windows NT Server 4.0, Terminal Server Edition
To resolve this problem, obtain the latest service pack for Windows NT Server 4.0, Terminal Server Edition. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows NT Server version 4.0, Terminal Server Edition Service Pack 6.



MORE INFORMATION
For more information about this vulnerability, please see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms99-010.mspx

For additional security-related information about Microsoft products, please visit the following Microsoft Web site:

http://www.microsoft.com/security

For more information about Windows 98 and Windows 98 Second Edition hotfixes, click the following article number to view the article in the Microsoft Knowledge Base:

206071 General Information About Windows 98 and Windows 98 Second Edition Hotfixes

Keywords: kbhotfixserver kbqfe kbdownload kbbug kbfix kbgraphxlinkcritical kbinterop kbnetwork KB217763

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.