FP97: Your Web Is Vulnerable If You Use FrontPage Personal Web Server 1.0 Without the Patch

Article translations Article translations
Article ID: 217765 - View products that this article applies to.
This article was previously published under Q217765
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

On This Page

Symptoms

If you use FrontPage Personal Web Server 1.0 (Vhttpd32.exe version 2.0.2.xxxx) on Microsoft Windows 95 or Microsoft Windows 98, your Web is vulnerable to unauthorized users who may access your files by using a specific non-standard URL. The unauthorized users must know the exact file name to access the file.

If you are using FrontPage Personal Web Server on Microsoft Windows NT 4.0, this problem does not affect you.

Most users of Microsoft FrontPage are not affected, because the FrontPage Personal Web Server is available on the FrontPage CD, but was only installed with FrontPage 1.1. Subsequent versions of FrontPage installed Microsoft Personal Web Server 2.0, which is not affected by this issue.

Cause

This vulnerability involves the ability of a malicious user to bypass the server's normal file access controls by typing a non-standard URL. The file must be specifically requested by name, so the malicious user must already know the name of the file or correctly guess the name. The vulnerability only affects users who host their own Web site with FrontPage Personal Web Server 1.0 (vhttpd32.exe version 2.0.2.xxxx).

Resolution

To resolve this problem, use one of the following methods.

Method 1: Upgrade to Microsoft Personal Web Server 4.0

If you do not need remote authoring support, Microsoft recommends that you upgrade to Microsoft Personal Web Server 4.0 and install the patch for this Web server.

For more information about downloading Microsoft Personal Web Server 4, see the following Microsoft Web site.

NOTE: Microsoft Personal Web Server 4 is installed by Windows NT 4.0 Option Pack for Windows 95.
http://www.microsoft.com/downloads/details.aspx?FamilyID=05c301d2-51f6-4cc1-b750-02f3c3141a71&displaylang=en
You can download the patch from the Microsoft Download Center. The following file is available for download from the Microsoft Download Center:
Collapse this imageExpand this image
Download
Download Pwssecup.exe now
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Method 2: Install New Extensions and the Patch

If you need to remotely author a Web, follow these steps:
  1. Download the latest extensions from Microsoft Web site.
  2. Run the file to install it.
  3. Locate and open the Frontpg.ini file. This file should be located in your Windows folder.
  4. In the [FrontPage 3.0] section, add the following line:
    PWSRoot=c:\FrontPage Webs
    					
  5. Save and close the file.
  6. Download the FrontPage Personal Web Server patch from the following Microsoft Web site:The following file is available for download from the Microsoft Download Center:
    Collapse this imageExpand this image
    Picture of Download Icon
    Download Fppws98.exe now
    For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
    119591 How to Obtain Microsoft Support Files from Online Services
    Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

  7. Run the file to install it.

More information

For more information about this vulnerability, see the following Microsoft Web site:
http://www.microsoft.com/technet/security/Bulletin/MS99-010.mspx
For additional security related information about Microsoft products, please visit the Web site at:
http://www.microsoft.com/security

Properties

Article ID: 217765 - Last Review: October 26, 2013 - Revision: 4.0
Applies to
  • Microsoft FrontPage 97 Standard Edition, when used with:
    • Microsoft Windows 98 Standard Edition
Keywords: 
kbnosurvey kbarchive kbdownload kbprb KB217765

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com