FP97: Your Web Is Vulnerable If You Use FrontPage Personal Web Server 1.0 Without the Patch (217765)
The information in this article applies to:
- Microsoft FrontPage 97 for Windows, when used with:
- the operating system: Microsoft Windows 95
- the operating system: Microsoft Windows 98
This article was previously published under Q217765 SYMPTOMS
If you use FrontPage Personal Web Server 1.0 (Vhttpd32.exe version 2.0.2.xxxx) on Microsoft Windows 95 or Microsoft Windows 98, your Web is vulnerable to unauthorized users who may access your files by using a specific non-standard URL. The unauthorized users must know the exact file name to access the file.
If you are using FrontPage Personal Web Server on Microsoft Windows NT 4.0, this problem does not affect you.
Most users of Microsoft FrontPage are not affected, because the FrontPage Personal Web Server is available on the FrontPage CD, but was only installed with FrontPage 1.1. Subsequent versions of FrontPage installed Microsoft Personal Web Server 2.0, which is not affected by this issue.
CAUSE
This vulnerability involves the ability of a malicious user to bypass the server's normal file access controls by typing a non-standard URL. The file must be specifically requested by name, so the malicious user must already know the name of the file or correctly guess the name. The vulnerability only affects users who host their own Web site with FrontPage Personal Web Server 1.0 (vhttpd32.exe version 2.0.2.xxxx).
RESOLUTION
To resolve this problem, use one of the following methods.
Method 1: Upgrade to Microsoft Personal Web Server 4.0
If you do not need remote authoring support, Microsoft recommends that you upgrade to Microsoft Personal Web Server 4.0 and install the patch for this Web server.
For more information about downloading Microsoft Personal Web Server 4, see the following Microsoft Web site. NOTE: Microsoft Personal Web Server 4 is installed by Windows NT 4.0 Option Pack for Windows 95.
You can download the patch from the Microsoft Download Center.
The following file is available for download from the Microsoft Download Center:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Method 2: Install New Extensions and the Patch
If you need to remotely author a Web, follow these steps:
- Download the latest extensions from the following Microsoft Web site:
- Run the file to install it.
- Locate and open the Frontpg.ini file. This file should be located in your Windows folder.
- In the [FrontPage 3.0] section, add the following line:
PWSRoot=c:\FrontPage Webs
- Save and close the file.
- Download the FrontPage Personal Web Server patch from the following Microsoft Web site:The following file is available for download from the Microsoft Download Center:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:119591 How to Obtain Microsoft Support Files from Online Services
- Run the file to install it.
| Modification Type: | Minor | Last Reviewed: | 8/5/2004 |
|---|
| Keywords: | kbdownload kbprb KB217765 |
|---|
|
