If you use FrontPage Personal Web Server 1.0 (Vhttpd32.exe version 2.0.2.xxxx) on Microsoft Windows 95 or Microsoft Windows 98, your Web is vulnerable to unauthorized users who may access your files by using a specific non-standard URL. The unauthorized users must know the exact file name to access the file.

If you are using FrontPage Personal Web Server on Microsoft Windows NT 4.0, this problem does not affect you.

Most users of Microsoft FrontPage are not affected, because the FrontPage Personal Web Server is available on the FrontPage CD, but was only installed with FrontPage 1.1. Subsequent versions of FrontPage installed Microsoft Personal Web Server 2.0, which is not affected by this issue.

Back to the top

This vulnerability involves the ability of a malicious user to bypass the server's normal file access controls by typing a non-standard URL. The file must be specifically requested by name, so the malicious user must already know the name of the file or correctly guess the name. The vulnerability only affects users who host their own Web site with FrontPage Personal Web Server 1.0 (vhttpd32.exe version 2.0.2.xxxx).

Back to the top

To resolve this problem, use one of the following methods.

Back to the top

Method 1: Upgrade to Microsoft Personal Web Server 4.0

If you do not need remote authoring support, Microsoft recommends that you upgrade to Microsoft Personal Web Server 4.0 and install the patch for this Web server.

For more information about downloading Microsoft Personal Web Server 4, see the following Microsoft Web site.

NOTE: Microsoft Personal Web Server 4 is installed by Windows NT 4.0 Option Pack for Windows 95. You can download the patch from the Microsoft Download Center. The following file is available for download from the Microsoft Download Center:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base: Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Back to the top

Method 2: Install New Extensions and the Patch

If you need to remotely author a Web, follow these steps:

1.	Download the latest extensions from Microsoft Web site.
2.	Run the file to install it.
3.	Locate and open the Frontpg.ini file. This file should be located in your Windows folder.
4.	In the [FrontPage 3.0] section, add the following line: PWSRoot=c:\FrontPage Webs
5.	Save and close the file.
6.	Download the FrontPage Personal Web Server patch from the following Microsoft Web site:The following file is available for download from the Microsoft Download Center: Download Fppws98.exe now (http://download.microsoft.com/download/fp98/fppws98/97/win98/en-us/fppws98.exe) For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base: 119591 (http://support.microsoft.com/kb/119591/EN-US/) How to Obtain Microsoft Support Files from Online Services Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.
7.	Run the file to install it.

Back to the top

For more information about this vulnerability, see the following Microsoft Web site: For additional security related information about Microsoft products, please visit the Web site at:

Back to the top