FP98: FrontPage 98 Server Extensions DLL Exposes Security Vulnerability

Article ID: 259799 - View products that this article applies to.
This article was previously published under Q259799
Expand all | Collapse all

SYMPTOMS

The Dvwssr.dll file, which is included in several Web server products, does not perform access-control checks correctly. Because of this, there is a possibility that a user with Web Authoring permissions on a Web site can view ASP files that belong to other Web sites hosted on the same computer, if that user has read permissions on those files.

NOTE: This problem only occurs on a computer that is running Microsoft Internet Information Server (IIS). This problem does not occur when you run the FrontPage 98 Server Extensions on a UNIX-based Web server.
Back to the top | Give Feedback

RESOLUTION

To eliminate this vulnerability, delete all copies of the Dvwssr.dll file from your computer. When you do this, the only functionality that is lost is the ability to generate a link view by using Visual InterDev 1.0. In the FrontPage 98 Server Extensions, the DLL is found in the following location:
_vti_bin\_vti_aut\Dvwssr.dll
Other resolutions for this issue include the following:
  • Upgrade to FrontPage 2000 Server Extensions.
  • Install Office 2000 Server Extensions.
  • Upgrade from Microsoft Windows NT 4.0 Server to Microsoft Windows 2000.
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in Microsoft FrontPage 98 for Windows.
Back to the top | Give Feedback

MORE INFORMATION

The Dvwssr.dll file is included with FrontPage 98, the FrontPage 98 Server Extensions, and the Windows NT 4.0 Option Pack (which also includes the FrontPage 98 Server Extensions). The Dvwssr.dll file is not included with FrontPage 2000, the FrontPage 2000 Server Extensions, Windows 2000, or Microsoft Internet Information Services 5.0.

The Dvwssr.dll file is a server-side component that enables access to files on the server for the Link View feature in Visual Interdev 97 (Visual Interdev 1.0). Access to the DLL is permitted to users who have Web Authoring permissions on any FrontPage Web on the server. Therefore, a user can use this DLL to view files on other FrontPage Webs on the same server that they do not have permissions to, provided that the user knows the location of the file.

Upgrading from the Windows NT 4.0 Option Pack to Windows 2000 removes the DLL from active use in the Web. The DLL is still on the system in the Program Files/Microsoft FrontPage directory, but the file is no longer accessible through HTTP, which eliminates the security vulnerability.


There are some significant restrictions to this vulnerability, as follows:
  • Only servers that are hosting multiple Web sites can be affected.
  • Only a user who has Web Authoring permissions on at least one site on the server can request a file. That user also needs to know the name and location of the file on the server.
  • Only ASP files (and the Global.asa file, which is a special-case ASP file) can be retrieved.
  • The files are only sent if the user who requests the files has read permissions on them. In most cases, this means that the files have read permissions granted to the Everyone group.

Affected Software and Versions

The affected component is part of Visual Interdev 1.0. However, it is a server-side component and is included in the following products:
  • Windows NT 4.0 Option Pack
  • Personal Web Server 4.0, which is included with Microsoft Windows 95 and Microsoft Windows 98
For more information about this issue, please see the following references:
Frequently Asked Questions: Microsoft Security Bulletin MS00-025
(http://www.microsoft.com/technet/security/bulletin/fq00-025.mspx)


Microsoft TechNet Security Web site
(http://www.microsoft.com/technet/security/default.mspx)
Back to the top | Give Feedback

Properties

Article ID: 259799 - Last Review: June 15, 2004 - Revision: 2.0
APPLIES TO
  • Microsoft FrontPage 98 Standard Edition
Keywords: 
kbbug kbpending KB259799
Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top