Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
MS99-010 Patch Available for File Access Vulnerability in Personal Web Server
- From: Paul Howell
- Date: Wed Mar 31 10:30:05 1999
This applies to FrontPage and Win95/98 users.
< paul
********************************
Microsoft Security Bulletin (MS99-010)
--------------------------------------
Patch Available for File Access Vulnerability in Personal Web
Server
Originally Posted: March 26, 1999
Summary
======
Microsoft has released a patch that eliminates a vulnerability in certain versions of
Personal Web Server running under Windows © 95 or Windows 98, which could allow files
on the server to be read by an unauthorized user who knew the name of the file and
requested it via a specific non-standard URL. Users running web server products on
Microsoft Windows NT © are not affected.
A fully supported patch is available to fix this vulnerability,
and
Microsoft recommends that customers download and install it if appropriate.
Issue
====
This vulnerability allows a file request that uses a non-standard URL to bypass the server’s
normal file access controls. The file must be specifically requested by name, so the
requester would need to know the name of the file or correctly guess it. The vulnerability
would allow files on the server to be read, but not changed or deleted, and would not
allow new files to be written to the server. The vulnerability does not usurp any
administrative privileges on the server.
Although some of the affected products are provided as part of Windows 95 and 98, none
are turned on by default. Further, none of the affected products exhibit the vulnerability
when run on Windows NT. While there have not been any reports of customers being
adversely affected by these problems, Microsoft is releasing a patch to proactively address
this issue.
Affected Software Versions
=========================
This vulnerability involves two different products with similar names:
Microsoft ® Personal Web Server and FrontPage ® Personal Web Server. The products can
be installed on Windows 95, 98 or Windows NT; however, none of the products are affected
by this vulnerability if installed on Windows NT.
Microsoft Personal Web Server is available as part
of Windows 98 and the Windows NT Option Pack (which
can be installed on Windows 95 and 98, as well as
Windows NT). Microsoft Personal Web Server 4.0 is
the only version affected by the vulnerability.
There is only one version of FrontPage Personal Web Server, which shipped as
part of Microsoft FrontPage 1.1, FrontPage 97, and FrontPage 98. It is affected by
this vulnerability.
Note: Most FrontPage users will not be affected by this vulnerability. FrontPage 97 and 98
include two personal web servers - FrontPage Personal Web Server and Microsoft Personal
Web Server 2.0 - and by default install the latter, which is not affected by the vulnerability.
FrontPage 1.1 does install the FrontPage Personal Web Server by default.
What Microsoft is Doing
======================
Microsoft has released patches that fix the problem identified. The patches are available
for download from the sites listed below in What Customers Should Do.
Microsoft also has sent this security bulletin to customers subscribing to the Microsoft
Product Security Notification Service. See
http://www.microsoft.com/security/services/bulletin.asp for more information about this free
customer service.
Microsoft has published the following Knowledge Base (KB) articles on this issue:
Microsoft Knowledge Base (KB) article Q216453,
FP98: Security Patch for FrontPage Personal Web Server,
http://support.microsoft.com/support/kb/articles/q216/4/53.asp.
Microsoft Knowledge Base (KB) article Q217765,
FP97: Security Patch for FrontPage Personal Web Server,
http://support.microsoft.com/support/kb/articles/q217/7/65.asp.
Microsoft Knowledge Base (KB) article Q217763,
File Access Vulnerability in Personal Web Server,
http://support.microsoft.com/support/kb/articles/q217/7/63.asp
(Note: It might take 24 hours from the original posting of this bulletin for the KB articles to
be visible in the Web-based Knowledge Base.)
What Customers Should Do
=======================
Microsoft highly recommends that customers evaluate the degree of risk that this
vulnerability poses to their systems and determine whether to download and install the
patch. The only customers who may be affected by this vulnerability are those who use
Windows 95 or 98 to host a personal web site. As noted above, Windows NT users who host
personal web sites are not affected by this vulnerability.
If you are using Windows 95 or 98 to host a personal web site but have never installed
FrontPage:
You are running Microsoft Personal Web Server. Only version 4.0 requires a patch.
To determine whether you are running version 4.0, right-click on the Personal Web
Server icon in the Windows taskbar system tray (next to the System Clock) and
choose Properties. If a dialog box titled "Personal Web Manager" appears, then
you are running Microsoft Personal Web Server 4.0 and need to install the patch
located at http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe. If
the title is anything other than "Personal Web Manager", you do not need the
patch.
If you are using Windows 95 or 98 to host a personal web site and have installed
FrontPage:
As detailed in Affected Software Versions, most users of Microsoft FrontPage are
not affected by this vulnerability. Use the following guidelines to determine if you
need this patch:
If you are using FrontPage 98:
1. Start FrontPage, then open a web site on the local machine by selecting the
Open FrontPage Web command from the File menu. 2. On the Tools Menu,
select Web Settings. Select the Configuration tab. 3. If the value in the "Server
Version" field reads "Microsoft-IIS/4.0", Microsoft Personal Web Server 4.0 is
installed and you should apply the patch located at
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.
4. If the value in the "Server Version" field reads
"FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the
FrontPage Personal Web Server is installed and you should install
the patch for FrontPage 98 users of the FrontPage Personal Web Server
located at
http://officeupdate.microsoft.com/downloadDetails/fppws98.htm.
5. If the value in the "Server Version" field is any other value, you do not
need the patch.
If you are using FrontPage 97:
1. Start FrontPage, then open a web site on the local machine by selecting the
Open FrontPage Web command from the File menu. 2. On the Tools Menu,
select Web Settings. Select the Configuration tab. 3. If the value in the "Server
Version" field reads "Microsoft-IIS/4.0", Microsoft Personal Web Server 4.0 is
installed and you should apply the patch at located at
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.
4. If the value in the "Server Version" field reads
"FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the FrontPage
Personal Web Server is installed and you should upgrade to Microsoft Personal
Web Server 4.0, which can be downloaded from
http://www.microsoft.com/windows/ie/pws/default.htm, then install the patch for
Microsoft Personal Web Server 4.0 located at
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe. (Users
needing remote authoring should follow a different upgrade path, detailed in
Microsoft Knowledge Base Article Q217765, FP97: Security Patch for FrontPage
Personal Web Server,
http://support.microsoft.com/support/kb/articles/q217/7/65.asp) 5. If the value in the
"Server Version" field is any other value, you do not need the patch.
If you are using FrontPage 1.1:
You need to upgrade to Microsoft Personal Web Server 4.0, which can be
downloaded from http://www.microsoft.com/windows/ie/pws/default.htm, then
install the patch for Microsoft Personal Web Server 4.0 located at
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.
More Information
===============
Please see the following references for more information related to this issue.
Microsoft Security Bulletin MS99-010,
Patch Available for File Access Vulnerability in Personal
Web Server (the Web-posted version of this bulletin),
http://www.microsoft.com/security/bulletins/ms99-010.asp.
Microsoft Knowledge Base Article Q216453,
FP98: Security Patch for FrontPage Personal Web Server,
http://support.microsoft.com/support/kb/articles/q216/4/53.asp
Microsoft Knowledge Base Article Q217765,
FP97: Security Patch for FrontPage Personal Web Server,
http://support.microsoft.com/support/kb/articles/q217/7/65.asp
Microsoft Knowledge Base Article Q217763,
File Access Vulnerability in Personal Web Server,
http://support.microsoft.com/support/kb/articles/q217/7/63.asp
(Note: It might take 24 hours from the original posting of this bulletin for the KB articles to
be visible in the Web-based Knowledge Base.)
Obtaining Support on this Issue
==============================
If you require technical assistance with this issue, please contact Microsoft Technical
Support. For information on contacting Microsoft Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.
Revisions
========
March 26, 1999: Bulletin Created
For additional security-related information about Microsoft
products, please visit http://www.microsoft.com/security.
---------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.
© 1999 Microsoft Corporation. All rights reserved. Terms of Use.
|
