Summary

Microsoft has released a patch that eliminates a vulnerability in certain versions of Personal Web Server running under Windows® 95 or Windows 98, which could allow files on the server to be read by an unauthorized user who knew the name of the file and requested it via a specific non-standard URL. Users running Web server products on Microsoft Windows NT® are not affected. Furthermore, most Microsoft FrontPage® users will not be affected by this vulnerability. By default, FrontPage 97 and 98 install Microsoft Personal Web Server 2.0, which is not affected by the vulnerability.

A fully supported patch is available to fix this vulnerability, and Microsoft recommends that affected customers download and install it.

The Issue

This vulnerability allows a file request that uses a non-standard URL to bypass the server's normal file access controls. The file must be specifically requested by name, so the requester would need to know the name of the file or correctly guess it. The vulnerability would allow files on the server to be read, but not changed or deleted, and would not allow new files to be written to the server. The vulnerability does not allow any administrative privileges on the server.

Although some of the affected products are provided as part of Windows 95 and 98, none are turned on by default. Further, none of the affected products exhibit the vulnerability when run on Windows NT. While there have not been any reports of customers being adversely affected by these problems, Microsoft is releasing a patch to proactively address this issue.

Affected Software Versions

This vulnerability involves two different products with similar names: Microsoft Personal Web Server and FrontPage Personal Web Server. The products can be installed on Windows 95, 98 or Windows NT; however, none of the products are affected by this vulnerability if installed on Windows NT.

• Microsoft Personal Web Server is available as part of Windows 98 and the Windows NT Option Pack (which can be installed on Windows 95 and 98, as well as Windows NT). Microsoft Personal Web Server 4.0 is the only version affected by the vulnerability.
• There is only one version of FrontPage Personal Web Server, which shipped as part of Microsoft FrontPage 1.1, FrontPage 97, and FrontPage 98.

  Note  Most FrontPage users will not be affected by this vulnerability. FrontPage 97 and 98 include two personal Web servers—FrontPage Personal Web Server and Microsoft Personal Web Server 2.0—and by default install the latter, which is not affected by the vulnerability. FrontPage 1.1 does install the FrontPage Personal Web Server by default.

What Microsoft Is Doing

Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do.

Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See Signing up for the Microsoft Product Security Notification Service for more information about this free customer service.

Microsoft has published the following Knowledge Base (KB) articles on this issue:

• Q216453 - FP98: Security Patch for FrontPage Personal Web Server
• Q217765 - FP97: Security Patch for FrontPage Personal Web Server
• Q217763 - File Access Vulnerability in Personal Web Server

  Note  It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.

What customers should do

Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the patch. The only customers who may be affected by this vulnerability are those who use Windows 95 or 98 to host a personal Web site. As noted above, Windows NT users who host personal Web sites are not affected by this vulnerability.

If you are using Windows 95 or 98 to host a personal Web site but have never installed FrontPage you are running Microsoft Personal Web Server. Only version 4.0 requires a patch. To determine whether you are running version 4.0, right-click the Personal Web Server icon in the Windows taskbar system tray (next to the System Clock) and choose Properties. If a dialog box titled "Personal Web Manager" appears, then you are running Microsoft Personal Web Server 4.0 and need to install the Microsoft Personal Web Server File Access Vulnerability Patch . If the title is anything other than "Personal Web Manager", you do not need the patch.

If you are using Windows 95 or 98 to host a personal Web site and have installed FrontPage as detailed in Affected Software Versions, most users of Microsoft FrontPage are not affected by this vulnerability. Use the following guidelines to determine if you need this patch:

If you are using FrontPage 98:

1. Start FrontPage, then open a web site on the local machine by selecting the Open FrontPage Web command from the File menu.
2. On the Tools menu, select Web Settings . Select the Configuration tab.
3. If the value in the "Server Version" field reads "Microsoft-IIS/4.0", Microsoft Personal Web Server 4.0 is installed and you should apply the Microsoft Personal Web Server File Access Vulnerability Patch .
4. If the value in the "Server Version" field reads "FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the FrontPage Personal Web Server is installed and you should install the FrontPage Personal Web Server File Access Vulnerability Patch .
5. If any other value appears in the "Server Version" field, you do not need the patch.

If you are using FrontPage 97:

1. Start FrontPage, then open a web site on the local machine by selecting the Open FrontPage Web command from the File menu.
2. On the Tools menu, select Web Settings. Select the Configuration tab.
3. If the value in the "Server Version" field reads "Microsoft-IIS/4.0", Microsoft Personal Web Server 4.0 is installed and you should apply the Microsoft Personal Web Server File Access Vulnerability Patch .
4. If the value in the "Server Version" field reads "FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the FrontPage Personal Web Server is installed and you should upgrade to Microsoft Personal Web Server 4.0 , then install the Microsoft Personal Web Server File Access Vulnerability Patch . (Users needing remote authoring should follow a different upgrade path, detailed in Microsoft Knowledge Base Article Q217765 FP97: Security Patch for FrontPage Personal Web Server .)
5. If any other value appears in the "Server Version" field, you do not need the patch.

If you are using FrontPage 1.1:

You need to upgrade to Microsoft Personal Web Server 4.0 , then install the Microsoft Personal Web Server File Access Vulnerability Patch .

More Information

Please see the following references for more information related to this issue.

• Microsoft Security Bulletin MS99-010 - Patch Available for File Access Vulnerability in Personal Web Server
• Microsoft Knowledge Base Article Q216453 - FP98: Security Patch for FrontPage Personal Web Server
• Microsoft Knowledge Base Article Q217765 - FP97: Security Patch for FrontPage Personal Web Server
• Microsoft Knowledge Base Article Q217763 - File Access Vulnerability in Personal Web Server

Note  It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Microsoft Product Support Services .

Revisions

For additional security-related information about Microsoft products, please visit the Microsoft Security Advisor Web Site.