Export (0) Print
Expand All

Microsoft Security Bulletin MS99-010 - Important

Patch Available for File Access Vulnerability in Personal Web Server

Published: March 26, 1999

Version: 1.0

Originally Posted: March 26, 1999

Summary

Microsoft has released a patch that eliminates a vulnerability in certain versions of Personal Web Server running under Windows® 95 or Windows 98, which could allow files on the server to be read by an unauthorized user who knew the name of the file and requested it via a specific non-standard URL. Users running web server products on Microsoft Windows NT® are not affected.

A fully supported patch is available to fix this vulnerability, and Microsoft recommends that affected customers download and install it.

Issue

This vulnerability allows a file request that uses a non-standard URL to bypass the server's normal file access controls. The file must be specifically requested by name, so the requester would need to know the name of the file or correctly guess it. The vulnerability would allow files on the server to be read, but not changed or deleted, and would not allow new files to be written to the server. The vulnerability does not allow any administrative privileges on the server.

Although some of the affected products are provided as part of Windows 95 and 98, none are turned on by default. Further, none of the affected products exhibit the vulnerability when run on Windows NT. While there have not been any reports of customers being adversely affected by these problems, Microsoft is releasing a patch to proactively address this issue.

Affected Software Versions

This vulnerability involves two different products with similar names: Microsoft Personal Web Server and FrontPage® Personal Web Server. The products can be installed on Windows 95, 98 or Windows NT; however, none of the products are affected by this vulnerability if installed on Windows NT.

  • Microsoft Personal Web Server is available as part of Windows 98 and the Windows NT Option Pack (which can be installed on Windows 95 and 98, as well as Windows NT). Microsoft Personal Web Server 4.0 is the only version affected by the vulnerability.
  • There is only one version of FrontPage Personal Web Server, which shipped as part of Microsoft FrontPage 1.1, FrontPage 97, and FrontPage 98.

    Note    Most FrontPage users will not be affected by this vulnerability. FrontPage 97 and 98 include two personal web servers - FrontPage Personal Web Server and Microsoft Personal Web Server 2.0 - and by default install the latter, which is not affected by the vulnerability. FrontPage 1.1 does install the FrontPage Personal Web Server by default.

Vulnerability Identifier: CVE-1999-0386

What Microsoft is Doing

Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do.

Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See The Microsoft Product Security Notification Service for more information about this free customer service.

Microsoft has published the following Knowledge Base (KB) article on this issue:

What customers should do

Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the patch. The only customers who may be affected by this vulnerability are those who use Windows 95 or 98 to host a personal web site. As noted above, Windows NT users who host personal web sites are not affected by this vulnerability.

If you are using Windows 95 or 98 to host a personal web site but have never installed FrontPage. You are running Microsoft Personal Web Server. Only version 4.0 requires a patch. To determine whether you are running version 4.0, right-click on the Personal Web Server icon in the Windows taskbar system tray (next to the System Clock) and choose Properties. If a dialog box titled "Personal Web Manager" appears, then you are running Microsoft Personal Web Server 4.0 and need to install the patch located at http://www.microsoft.com/downloads/details.aspx?FamilyID=42843E0F-D7CD-4330-BCB0-E7F3CC560D07&displaylang=EN. If the title is anything other than "Personal Web Manager", you do not need the patch.

If you are using Windows 95 or 98 to host a personal web site and have installed FrontPage. As detailed in Affected Software Versions, most users of Microsoft FrontPage are not affected by this vulnerability. Use the following guidelines to determine if you need this patch:

If you are using FrontPage 98:

  1. Start FrontPage, then open a web site on the local machine by selecting the Open FrontPage Web command from the File menu.
  2. On the Tools Menu, select Web Settings. Select the Configuration tab.
  3. If the value in the "Server Version" field reads "Microsoft-IIS/4.0", Microsoft Personal Web Server 4.0 is installed and you should apply the patch located at http://www.microsoft.com/downloads/details.aspx?FamilyID=42843E0F-D7CD-4330-BCB0-E7F3CC560D07&displaylang=EN.
  4. If the value in the "Server Version" field reads "FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the FrontPage Personal Web Server is installed and you should install the patch for FrontPage 98 users of the FrontPage Personal Web Server located at http://www.microsoft.com/downloads/details.aspx?FamilyID=7112C979-165D-4E7C-B3DD-940168974B49&displaylang=EN.
  5. If the value in the "Server Version" field is any other value, you do not need the patch.

If you are using FrontPage 97:

  1. Start FrontPage, then open a web site on the local machine by selecting the Open FrontPage Web command from the File menu.
  2. On the Tools Menu, select Web Settings. Select the Configuration tab.
  3. If the value in the "Server Version" field reads "Microsoft-IIS/4.0", Microsoft Personal Web Server 4.0 is installed and you should apply the patch at located at http://www.microsoft.com/downloads/details.aspx?FamilyID=42843E0F-D7CD-4330-BCB0-E7F3CC560D07&displaylang=EN.
  4. If the value in the "Server Version" field reads "FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the FrontPage Personal Web Server is installed and you should upgrade to Microsoft Personal Web Server 4.0, which can be downloaded from http://www.microsoft.com/windows/products/winfamily/ie/default.mspx, then install the patch for Microsoft Personal Web Server 4.0 located at http://www.microsoft.com/downloads/details.aspx?FamilyID=42843E0F-D7CD-4330-BCB0-E7F3CC560D07&displaylang=EN. (Users needing remote authoring should follow a different upgrade path, detailed in Microsoft Knowledge Base Article 217765, FP97: Security Patch for FrontPage Personal Web Server, http://support.microsoft.com/default.aspx?scid=kb;en-us;217765&sd=tech)
  5. If the value in the "Server Version" field is any other value, you do not need the patch.

If you are using FrontPage 1.1, you need to upgrade to Microsoft Personal Web Server 4.0, which can be downloaded from http://www.microsoft.com/windows/products/winfamily/ie/default.mspx, then install the patch for Microsoft Personal Web Server 4.0 located at http://www.microsoft.com/downloads/details.aspx?FamilyID=42843E0F-D7CD-4330-BCB0-E7F3CC560D07&displaylang=EN.

More Information

Please see the following references for more information related to this issue.

Obtaining Support on this Issue

If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/contactussupport/?ws=support.

Revisions

  • March 26, 1999: Bulletin Created

For additional security-related information about Microsoft products, please visit http://www.microsoft.com/technet/security

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Built at 2014-04-18T13:49:36Z-07:00

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft