FP97: Security Patch for FrontPage Personal Web Server

ID: q217765

The information in this article applies to:
  • Microsoft FrontPage 97 for Windows, version 97

SYMPTOMS

If you use FrontPage Personal Web Server 1.0 (Vhttpd32.exe version 2.0.2.xxxx) on Microsoft Windows 95 or Windows 98 operating systems, your web is vulnerable to unauthorized users accessing your files using a specific non-standard URL. The unauthorized users would have to know the exact file name to access it.

If you are using FrontPage Personal Web Server on Microsoft Windows NT, you are not affected.

Most users of Microsoft FrontPage are not affected as the FrontPage Personal Web Server is available on the FrontPage CD, but was only installed with FrontPage 1.1. Subsequent versions of FrontPage installed Microsoft Personal Web Server 2.0, which is not affected by this issue.


CAUSE

This vulnerability involves the ability of a malicious user to bypass the server's normal file access controls by typing a non-standard URL. The file must be specifically requested by name, so the malicious user would need to already know the name of the file, or correctly guess it. The vulnerability only affects users that host their own Web site with FrontPage Personal Web Server 1.0 (vhttpd32.exe version 2.0.2.xxxx).


RESOLUTION

Method 1: Upgrade to Microsoft Personal Web Server 4.0

If you do not need remote authoring support, it is recommended that you upgrade to Microsoft Personal Web Server 4.0 and install the patch for this web server.

For more information about downloading Microsoft Personal Web Server 4, please see the following Microsoft World Wide Web site:
http://www.microsoft.com/windows/ie/pws/default.htm
You can download the patch from the Microsoft Download Center. The following file is available for download from the Microsoft Download Center. Click the file name below to download the file:
Pwssecup.exe
For more information about how to download files from the Microsoft Download Center, please visit the Download Center at the following Web address
http://www.microsoft.com/downloads/search.asp
and then click How to use the Microsoft Download Center.

Method 2: Install New Extensions and Patch

If you need the ability to remotely author a web, follow these stes:
  1. Download the latest extensions from the following Microsoft Office Update site:
    http://officeupdate.microsoft.com/isapi/goftp.asp?TARGET=/products/frontpage/fp98ext_x86_enu.exe


  2. Run the file to install it.


  3. Locate and open the Frontpg.ini file.


  4. In the [FrontPage 3.0] section add the following line:
    
PWSRoot=c:\FrontPage Webs


  5. Save and close the file.


  6. Download the FrontPage Personal Web Server patch from the following Microsoft Office Update site:
    http://premium.officeupdate.microsoft.com/download/officeupdate/fppws98.exe


  7. Run the file to install it



MORE INFORMATION

For more information about this vulnerability, please see the following Microsoft Web site:

http://www.microsoft.com/security/bulletins/ms99-010.asp
For additional security related information about Microsoft products, please visit the Web site at:
http://www.microsoft.com/security

Additional query words: front page fix add-on add on update

Keywords : kbdta
Version : WINDOWS:97
Platform : WINDOWS
Issue type :


Last Reviewed: November 30, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.