FP98: FrontPage 98 Server Extensions DLL Exposes Security Vulnerability
Article ID: 259799 - View products that this article applies to.
This article was previously published under Q259799
The Dvwssr.dll file, which is included in several Web server products, does not perform access-control checks correctly. Because of this, there is a possibility that a user with Web Authoring permissions on a Web site can view ASP files that belong to other Web sites hosted on the same computer, if that user has read permissions on those files.
NOTE: This problem only occurs on a computer that is running Microsoft Internet Information Server (IIS). This problem does not occur when you run the FrontPage 98 Server Extensions on a UNIX-based Web server.
To eliminate this vulnerability, delete all copies of the Dvwssr.dll file from your computer. When you do this, the only functionality that is lost is the ability to generate a link view by using Visual InterDev 1.0. In the FrontPage 98 Server Extensions, the DLL is found in the following location:
_vti_bin\_vti_aut\Dvwssr.dllOther resolutions for this issue include the following:
Microsoft has confirmed that this is a problem in Microsoft FrontPage 98 for Windows.
The Dvwssr.dll file is included with FrontPage 98, the FrontPage 98 Server Extensions, and the Windows NT 4.0 Option Pack (which also includes the FrontPage 98 Server Extensions). The Dvwssr.dll file is not included with FrontPage 2000, the FrontPage 2000 Server Extensions, Windows 2000, or Microsoft Internet Information Services 5.0.
The Dvwssr.dll file is a server-side component that enables access to files on the server for the Link View feature in Visual Interdev 97 (Visual Interdev 1.0). Access to the DLL is permitted to users who have Web Authoring permissions on any FrontPage Web on the server. Therefore, a user can use this DLL to view files on other FrontPage Webs on the same server that they do not have permissions to, provided that the user knows the location of the file.
Upgrading from the Windows NT 4.0 Option Pack to Windows 2000 removes the DLL from active use in the Web. The DLL is still on the system in the Program Files/Microsoft FrontPage directory, but the file is no longer accessible through HTTP, which eliminates the security vulnerability.
There are some significant restrictions to this vulnerability, as follows:
Affected Software and VersionsThe affected component is part of Visual Interdev 1.0. However, it is a server-side component and is included in the following products:
Frequently Asked Questions: Microsoft Security Bulletin MS00-025
Microsoft TechNet Security Web site
Article ID: 259799 - Last Review: June 15, 2004 - Revision: 2.0