ms.personal.webserver.txt

1999-08-17T00:00:00
ID PACKETSTORM:12134
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Sat, 27 Mar 1999 11:29:56 -0800  
From: aleph1@UNDERGROUND.ORG  
To: BUGTRAQ@netspace.org  
Subject: Microsoft Security Bulletin (MS99-010)  
  
The following is a Security Bulletin from the Microsoft Product Security  
Notification Service.  
  
Please do not reply to this message, as it was sent from an unattended  
mailbox.  
********************************  
  
Microsoft Security Bulletin (MS99-010)  
--------------------------------------  
  
Patch Available for File Access Vulnerability in Personal Web Server  
  
Originally Posted: March 26, 1999  
  
Summary  
=======  
Microsoft has released a patch that eliminates a vulnerability in certain  
versions of Personal Web Server running under Windows (c) 95 or Windows 98,  
which could allow files on the server to be read by an unauthorized user  
who knew the name of the file and requested it via a specific non-standard  
URL. Users running web server products on Microsoft Windows NT (c) are not  
affected.  
  
A fully supported patch is available to fix this vulnerability, and  
Microsoft recommends that customers download and install it if appropriate.  
  
  
Issue  
=====  
This vulnerability allows a file request that uses a non-standard URL to  
bypass the server's normal file access controls. The file must be  
specifically requested by name, so the requester would need to know the  
name of the file or correctly guess it. The vulnerability would allow files  
on the server to be read, but not changed or deleted, and would not allow  
new files to be written to the server. The vulnerability does not usurp any  
administrative privileges on the server.  
  
Although some of the affected products are provided as part of Windows 95  
and 98, none are turned on by default. Further, none of the affected  
products exhibit the vulnerability when run on Windows NT. While there have  
not been any reports of customers being adversely affected by these  
problems, Microsoft is releasing a patch to proactively address this issue.  
  
Affected Software Versions  
==========================  
This vulnerability involves two different products with similar names:  
Microsoft (r) Personal Web Server and FrontPage (r) Personal Web Server.  
The products can be installed on Windows 95, 98 or Windows NT; however,  
none of the products are affected by this vulnerability if installed on  
Windows NT.  
  
- Microsoft Personal Web Server is available as part  
of Windows 98 and the Windows NT Option Pack (which  
can be installed on Windows 95 and 98, as well as  
Windows NT). Microsoft Personal Web Server 4.0 is  
the only version affected by the vulnerability.  
- There is only one version of FrontPage Personal Web Server,  
which shipped as part of Microsoft FrontPage 1.1, FrontPage 97,  
and FrontPage 98. It is affected by this vulnerability.  
  
Note: Most FrontPage users will not be affected by this vulnerability.  
FrontPage 97 and 98 include two personal web servers - FrontPage Personal  
Web Server and Microsoft Personal Web Server 2.0 - and by default install  
the latter, which is not affected by the vulnerability. FrontPage 1.1 does  
install the FrontPage Personal Web Server by default.  
  
What Microsoft is Doing  
=======================  
Microsoft has released patches that fix the problem identified. The patches  
are available for download from the sites listed below in What Customers  
Should Do.  
  
Microsoft also has sent this security bulletin to customers  
subscribing to the Microsoft Product Security Notification Service.  
See http://www.microsoft.com/security/services/bulletin.asp for  
more information about this free customer service.  
  
Microsoft has published the following Knowledge Base (KB) articles on this  
issue:  
- Microsoft Knowledge Base (KB) article Q216453,  
FP98: Security Patch for FrontPage Personal Web Server,  
http://support.microsoft.com/support/kb/articles/q216/4/53.asp.  
- Microsoft Knowledge Base (KB) article Q217765,  
FP97: Security Patch for FrontPage Personal Web Server,  
http://support.microsoft.com/support/kb/articles/q217/7/65.asp.  
- Microsoft Knowledge Base (KB) article Q217763,  
File Access Vulnerability in Personal Web Server,  
http://support.microsoft.com/support/kb/articles/q217/7/63.asp  
  
(Note: It might take 24 hours from the original posting of this bulletin for  
the KB articles to be visible in the Web-based Knowledge Base.)  
  
What Customers Should Do  
========================  
Microsoft highly recommends that customers evaluate the degree of risk that  
this vulnerability poses to their systems and determine whether to download  
and install the patch. The only customers who may be affected by this  
vulnerability are those who use Windows 95 or 98 to host a personal web  
site. As noted above, Windows NT users who host personal web sites are not  
affected by this vulnerability.  
  
If you are using Windows 95 or 98 to host a personal web site but have never  
installed FrontPage:  
You are running Microsoft Personal Web Server. Only version  
4.0 requires a patch. To determine whether you are running  
version 4.0, right-click on the Personal Web Server icon in  
the Windows taskbar system tray (next to the System Clock) and  
choose Properties. If a dialog box titled "Personal Web Manager"  
appears, then you are running Microsoft Personal Web Server 4.0  
and need to install the patch located at  
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.  
If the title is anything other than "Personal Web Manager", you  
do not need the patch.  
  
If you are using Windows 95 or 98 to host a personal web site and have  
installed FrontPage:  
As detailed in Affected Software Versions, most users of Microsoft  
FrontPage are not affected by this vulnerability. Use the following  
guidelines to determine if you need this patch:  
  
If you are using FrontPage 98:  
  
1. Start FrontPage, then open a web site on the local machine  
by selecting the Open FrontPage Web command from the File menu.  
2. On the Tools Menu, select Web Settings. Select the Configuration tab.  
3. If the value in the "Server Version" field reads "Microsoft-IIS/4.0",  
Microsoft Personal Web Server 4.0 is installed and you should  
apply the patch located at  
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.  
4. If the value in the "Server Version" field reads  
"FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the  
FrontPage Personal Web Server is installed and you should install  
the patch for FrontPage 98 users of the FrontPage Personal Web Server  
located at  
http://officeupdate.microsoft.com/downloadDetails/fppws98.htm.  
5. If the value in the "Server Version" field is any other value, you  
do not need the patch.  
  
If you are using FrontPage 97:  
  
1. Start FrontPage, then open a web site on the local machine by  
selecting the Open FrontPage Web command from the File menu.  
2. On the Tools Menu, select Web Settings. Select the Configuration tab.  
3. If the value in the "Server Version" field reads "Microsoft-IIS/4.0",  
Microsoft Personal Web Server 4.0 is installed and you should  
apply the patch at located at  
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.  
4. If the value in the "Server Version" field reads  
"FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the  
FrontPage Personal Web Server is installed and you should upgrade to  
Microsoft Personal Web Server 4.0, which can be downloaded from  
http://www.microsoft.com/windows/ie/pws/default.htm, then install  
the patch for Microsoft Personal Web Server 4.0 located at  
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.  
(Users needing remote authoring should follow a different upgrade  
path, detailed in Microsoft Knowledge Base Article Q217765,  
FP97: Security Patch for FrontPage Personal Web Server,  
http://support.microsoft.com/support/kb/articles/q217/7/65.asp)  
5. If the value in the "Server Version" field is any other value, you  
do not need the patch.  
  
If you are using FrontPage 1.1:  
  
You need to upgrade to Microsoft Personal Web Server 4.0, which can be  
downloaded from http://www.microsoft.com/windows/ie/pws/default.htm,  
then install the patch for Microsoft Personal Web Server 4.0 located at  
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.  
  
More Information  
================  
Please see the following references for more information related to this  
issue.  
- Microsoft Security Bulletin MS99-010,  
Patch Available for File Access Vulnerability in Personal  
Web Server (the Web-posted version of this bulletin),  
http://www.microsoft.com/security/bulletins/ms99-010.asp.  
- Microsoft Knowledge Base Article Q216453,  
FP98: Security Patch for FrontPage Personal Web Server,  
http://support.microsoft.com/support/kb/articles/q216/4/53.asp  
- Microsoft Knowledge Base Article Q217765,  
FP97: Security Patch for FrontPage Personal Web Server,  
http://support.microsoft.com/support/kb/articles/q217/7/65.asp  
- Microsoft Knowledge Base Article Q217763,  
File Access Vulnerability in Personal Web Server,  
http://support.microsoft.com/support/kb/articles/q217/7/63.asp  
  
(Note: It might take 24 hours from the original posting of this bulletin for  
the KB articles to be visible in the Web-based Knowledge Base.)  
  
Obtaining Support on this Issue  
===============================  
If you require technical assistance with this issue, please contact  
Microsoft Technical Support. For information on contacting Microsoft  
Technical Support, please see  
http://support.microsoft.com/support/contact/default.asp.  
  
Revisions  
=========  
- March 26, 1999: Bulletin Created  
  
  
For additional security-related information about Microsoft  
products, please visit http://www.microsoft.com/security.  
  
  
---------------------------------------------------------------  
  
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"  
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER  
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS  
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS  
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,  
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,  
EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE  
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR  
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE  
FOREGOING LIMITATION MAY NOT APPLY.  
  
(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.  
  
*******************************************************************  
You have received this e-mail bulletin as a result of your registration  
to the Microsoft Product Security Notification Service. You may  
unsubscribe from this e-mail notification service at any time by sending  
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM  
The subject line and message body are not used in processing the request,  
and can be anything you like.  
  
For more information on the Microsoft Security Notification Service  
please visit http://www.microsoft.com/security/bulletin.htm. For  
security-related information about Microsoft products, please visit the  
Microsoft Security Advisor web site at http://www.microsoft.com/security.  
`