Personal Web Server File Access Vulnerability Patch (FrontPage 98)

Personal Web Server File Access Vulnerability Patch (FrontPage 98) is the right choice when you use FrontPage Personal Web Server 1.0 (Vhttpd32.exe version 2.0.2.xxxx) on Microsoft Windows 95 or Windows 98 operating systems, your Web site is vulnerable to unauthorized users accessing your files using a specific nonstandard URL. This patch fixes this problem.

Microsoft has released a patch that eliminates a vulnerability in certain versions of Personal Web Server running under Windows® 95 or Windows 98, which could allow files on the server to be read by an unauthorized user who knew the name of the file and requested it via a specific non-standard URL. Users running web server products on Microsoft Windows NT® are not affected.

Major Features: 

1. Issue
   
   • This vulnerability allows a file request that uses a non-standard URL to bypass the server's normal file access controls. The file must be specifically requested by name, so the requester would need to know the name of the file or correctly guess it. The vulnerability would allow files on the server to be read, but not changed or deleted, and would not allow new files to be written to the server. The vulnerability does not allow any administrative privileges on the server.
   • Although some of the affected products are provided as part of Windows 95 and 98, none are turned on by default. Further, none of the affected products exhibit the vulnerability when run on Windows NT. While there have not been any reports of customers being adversely affected by these problems, Microsoft is releasing a patch to proactively address this issue.
2. Affected Software Versions
   
   • This vulnerability involves two different products with similar names: Microsoft Personal Web Server and FrontPage® Personal Web Server. The products can be installed on Windows 95, 98 or Windows NT; however, none of the products are affected by this vulnerability if installed on Windows NT.
   • Microsoft Personal Web Server is available as part of Windows 98 and the Windows NT Option Pack (which can be installed on Windows 95 and 98, as well as Windows NT). Microsoft Personal Web Server 4.0 is the only version affected by the vulnerability.
   • There is only one version of FrontPage Personal Web Server, which shipped as part of Microsoft FrontPage 1.1, FrontPage 97, and FrontPage 98.
   • Note: Most FrontPage users will not be affected by this vulnerability. FrontPage 97 and 98 include two personal web servers - FrontPage Personal Web Server and Microsoft Personal Web Server 2.0 - and by default install the latter, which is not affected by the vulnerability. FrontPage 1.1 does install the FrontPage Personal Web Server by default.
3. Vulnerability Identifier: CVE-1999-0386
   
4. What Microsoft is Doing
   
   • Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do.
   • Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See The Microsoft Product Security Notification Service for more information about this free customer service.
   • Microsoft has published the following Knowledge Base (KB) article on this issue:
   • • Microsoft Knowledge Base (KB) article 216453, FP98: Security Patch for FrontPage Personal Web Server.
     • Microsoft Knowledge Base (KB) article 217765, FP97: Security Patch for FrontPage Personal Web Server.
     • Microsoft Knowledge Base (KB) article 217763, File Access Vulnerability in Personal Web Server.
     • (Note It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.) 

Requirements:

• Windows 95/98
• FrontPage 98