Security Bulletin

Microsoft Security Bulletin MS99-010 - Important

Patch Available for File Access Vulnerability in Personal Web Server

Published: March 26, 1999

Version: 1.0

Originally Posted: March 26, 1999

Summary

Microsoft has released a patch that eliminates a vulnerability in certain versions of Personal Web Server running under Windows® 95 or Windows 98, which could allow files on the server to be read by an unauthorized user who knew the name of the file and requested it via a specific non-standard URL. Users running web server products on Microsoft Windows NT® are not affected.

A fully supported patch is available to fix this vulnerability, and Microsoft recommends that affected customers download and install it.

Issue

This vulnerability allows a file request that uses a non-standard URL to bypass the server's normal file access controls. The file must be specifically requested by name, so the requester would need to know the name of the file or correctly guess it. The vulnerability would allow files on the server to be read, but not changed or deleted, and would not allow new files to be written to the server. The vulnerability does not allow any administrative privileges on the server.

Although some of the affected products are provided as part of Windows 95 and 98, none are turned on by default. Further, none of the affected products exhibit the vulnerability when run on Windows NT. While there have not been any reports of customers being adversely affected by these problems, Microsoft is releasing a patch to proactively address this issue.

Affected Software Versions

This vulnerability involves two different products with similar names: Microsoft Personal Web Server and FrontPage® Personal Web Server. The products can be installed on Windows 95, 98 or Windows NT; however, none of the products are affected by this vulnerability if installed on Windows NT.

• Microsoft Personal Web Server is available as part of Windows 98 and the Windows NT Option Pack (which can be installed on Windows 95 and 98, as well as Windows NT). Microsoft Personal Web Server 4.0 is the only version affected by the vulnerability.

• There is only one version of FrontPage Personal Web Server, which shipped as part of Microsoft FrontPage 1.1, FrontPage 97, and FrontPage 98.

  Note    Most FrontPage users will not be affected by this vulnerability. FrontPage 97 and 98 include two personal web servers - FrontPage Personal Web Server and Microsoft Personal Web Server 2.0 - and by default install the latter, which is not affected by the vulnerability. FrontPage 1.1 does install the FrontPage Personal Web Server by default.

Vulnerability Identifier: CVE-1999-0386

What Microsoft is Doing

Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do.

Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See The Microsoft Product Security Notification Service for more information about this free customer service.

Microsoft has published the following Knowledge Base (KB) article on this issue:

• Microsoft Knowledge Base (KB) article 216453, FP98: Security Patch for FrontPage Personal Web Server.

• Microsoft Knowledge Base (KB) article 217765, FP97: Security Patch for FrontPage Personal Web Server.

• Microsoft Knowledge Base (KB) article 217763, File Access Vulnerability in Personal Web Server.

  (Note   It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.)

What customers should do

Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the patch. The only customers who may be affected by this vulnerability are those who use Windows 95 or 98 to host a personal web site. As noted above, Windows NT users who host personal web sites are not affected by this vulnerability.

If you are using Windows 95 or 98 to host a personal web site but have never installed FrontPage. You are running Microsoft Personal Web Server. Only version 4.0 requires a patch. To determine whether you are running version 4.0, right-click on the Personal Web Server icon in the Windows taskbar system tray (next to the System Clock) and choose Properties. If a dialog box titled "Personal Web Manager" appears, then you are running Microsoft Personal Web Server 4.0 and need to install the patch located at https://www.microsoft.com/download/details.aspx?FamilyID=42843E0F-D7CD-4330-BCB0-E7F3CC560D07&displaylang;=EN. If the title is anything other than "Personal Web Manager", you do not need the patch.

If you are using Windows 95 or 98 to host a personal web site and have installed FrontPage. As detailed in Affected Software Versions, most users of Microsoft FrontPage are not affected by this vulnerability. Use the following guidelines to determine if you need this patch:

If you are using FrontPage 98:

1. Start FrontPage, then open a web site on the local machine by selecting the Open FrontPage Web command from the File menu.
2. On the Tools Menu, select Web Settings. Select the Configuration tab.
3. If the value in the "Server Version" field reads "Microsoft-IIS/4.0", Microsoft Personal Web Server 4.0 is installed and you should apply the patch located at https://www.microsoft.com/download/details.aspx?FamilyID=42843E0F-D7CD-4330-BCB0-E7F3CC560D07&displaylang;=EN.
4. If the value in the "Server Version" field reads "FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the FrontPage Personal Web Server is installed and you should install the patch for FrontPage 98 users of the FrontPage Personal Web Server located at https://www.microsoft.com/download/details.aspx?FamilyID=7112C979-165D-4E7C-B3DD-940168974B49&displaylang;=EN.
5. If the value in the "Server Version" field is any other value, you do not need the patch.

If you are using FrontPage 97:

1. Start FrontPage, then open a web site on the local machine by selecting the Open FrontPage Web command from the File menu.
2. On the Tools Menu, select Web Settings. Select the Configuration tab.
3. If the value in the "Server Version" field reads "Microsoft-IIS/4.0", Microsoft Personal Web Server 4.0 is installed and you should apply the patch at located at https://www.microsoft.com/download/details.aspx?FamilyID=42843E0F-D7CD-4330-BCB0-E7F3CC560D07&displaylang;=EN.
4. If the value in the "Server Version" field reads "FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the FrontPage Personal Web Server is installed and you should upgrade to Microsoft Personal Web Server 4.0, which can be downloaded from https:, then install the patch for Microsoft Personal Web Server 4.0 located at https://www.microsoft.com/download/details.aspx?FamilyID=42843E0F-D7CD-4330-BCB0-E7F3CC560D07&displaylang;=EN. (Users needing remote authoring should follow a different upgrade path, detailed in Microsoft Knowledge Base Article 217765, FP97: Security Patch for FrontPage Personal Web Server, </https:>https:)
5. If the value in the "Server Version" field is any other value, you do not need the patch.

If you are using FrontPage 1.1, you need to upgrade to Microsoft Personal Web Server 4.0, which can be downloaded from </https:>https:, then install the patch for Microsoft Personal Web Server 4.0 located at https://www.microsoft.com/download/details.aspx?FamilyID=42843E0F-D7CD-4330-BCB0-E7F3CC560D07&displaylang;=EN.

More Information

Please see the following references for more information related to this issue.

• Microsoft Security Bulletin MS99-010, Patch Available for File Access Vulnerability in Personal Web Server (the Web-posted version of this bulletin), https://www.microsoft.com/technet/security/bulletin/ms99-010.mspx.

• Microsoft Knowledge Base Article 216453, FP98: Security Patch for FrontPage Personal Web Server, </https:>https:

• Microsoft Knowledge Base Article 217765, FP97: Security Patch for FrontPage Personal Web Server, </https:>https:

• Microsoft Knowledge Base Article 217763, File Access Vulnerability in Personal Web Server, </https:>https:

  (Note    It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.)

Obtaining Support on this Issue

If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see </https:>https:.

Revisions

• March 26, 1999: Bulletin Created

For additional security-related information about Microsoft products, please visit https://www.microsoft.com/technet/security

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Built at 2014-04-18T13:49:36Z-07:00 </https:>