Date: Sat, 27 Mar 1999 11:29:56 -0800
From: aleph1@UNDERGROUND.ORG
To: BUGTRAQ@netspace.org
Subject: Microsoft Security Bulletin (MS99-010)

The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

Microsoft Security Bulletin (MS99-010)
--------------------------------------

Patch Available for File Access Vulnerability in Personal Web Server

Originally Posted: March 26, 1999

Summary
=======
Microsoft has released a patch that eliminates a vulnerability in certain
versions of Personal  Web Server running under Windows (c) 95 or Windows 98,
which could allow files on the server to  be read by an unauthorized user
who knew the name of the file and requested it via a specific  non-standard
URL. Users running web server products on Microsoft Windows NT (c) are not
affected.

A fully supported patch is available to fix this vulnerability, and
Microsoft recommends that  customers download and install it if appropriate.


Issue
=====
This vulnerability allows a file request that uses a non-standard URL to
bypass the server's  normal file access controls. The file must be
specifically requested by name, so the requester  would need to know the
name of the file or correctly guess it. The vulnerability would allow  files
on the server to be read, but not changed or deleted, and would not allow
new files to be  written to the server. The vulnerability does not usurp any
administrative privileges on the  server.

Although some of the affected products are provided as part of Windows 95
and 98, none are turned  on by default. Further, none of the affected
products exhibit the vulnerability when run on  Windows NT. While there have
not been any reports of customers being adversely affected by these
problems, Microsoft is releasing a patch to proactively address this issue.

Affected Software Versions
==========================
This vulnerability involves two different products with similar names:
Microsoft (r) Personal Web  Server and FrontPage (r) Personal Web Server.
The products can be installed on Windows 95, 98 or  Windows NT; however,
none of the products are affected by this vulnerability if installed on
Windows NT.

 - Microsoft Personal Web Server is available as part
   of Windows 98 and the Windows NT Option Pack (which
   can be installed on Windows 95 and 98, as well as
   Windows NT). Microsoft Personal Web Server 4.0 is
   the only version affected by the vulnerability.
 - There is only one version of FrontPage Personal Web Server,
   which shipped as part of Microsoft FrontPage 1.1, FrontPage 97,
   and FrontPage 98.  It is affected by this vulnerability.

Note: Most FrontPage users will not be affected by this vulnerability.
FrontPage 97 and 98  include two personal web servers - FrontPage Personal
Web Server and Microsoft Personal Web  Server 2.0 - and by default install
the latter, which is not affected by the vulnerability.  FrontPage 1.1 does
install the FrontPage Personal Web Server by default.

What Microsoft is Doing
=======================
Microsoft has released patches that fix the problem identified. The patches
are available for  download from the sites listed below in What Customers
Should Do.

Microsoft also has sent this security bulletin to customers
subscribing to the Microsoft Product Security Notification Service.
See http://www.microsoft.com/security/services/bulletin.asp for
more information about this free customer service.

Microsoft has published the following Knowledge Base (KB) articles on this
issue:
 - Microsoft Knowledge Base (KB) article Q216453,
   FP98: Security Patch for FrontPage Personal Web Server,
   http://support.microsoft.com/support/kb/articles/q216/4/53.asp.
 - Microsoft Knowledge Base (KB) article Q217765,
   FP97: Security Patch for FrontPage Personal Web Server,
   http://support.microsoft.com/support/kb/articles/q217/7/65.asp.
 - Microsoft Knowledge Base (KB) article Q217763,
   File Access Vulnerability in Personal Web Server,
   http://support.microsoft.com/support/kb/articles/q217/7/63.asp

(Note: It might take 24 hours from the original posting of this bulletin for
the KB articles to  be visible in the Web-based Knowledge Base.)

What Customers Should Do
========================
Microsoft highly recommends that customers evaluate the degree of risk that
this vulnerability  poses to their systems and determine whether to download
and install the patch. The only  customers who may be affected by this
vulnerability are those who use Windows 95 or 98 to host a  personal web
site. As noted above, Windows NT users who host personal web sites are not
affected  by this vulnerability.

If you are using Windows 95 or 98 to host a personal web site but have never
installed FrontPage:
   You are running Microsoft Personal Web Server. Only version
   4.0 requires a patch. To determine whether you are running
   version 4.0, right-click on the Personal Web Server icon in
   the Windows taskbar system tray (next to the System Clock) and
   choose Properties. If a dialog box titled "Personal Web Manager"
   appears, then you are running Microsoft Personal Web Server 4.0
   and need to install the patch located at
   http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.
   If the title is anything other than "Personal Web Manager", you
   do not need the patch.

If you are using Windows 95 or 98 to host a personal web site and have
installed FrontPage:
   As detailed in Affected Software Versions, most users of Microsoft
   FrontPage are not affected by this vulnerability. Use the following
   guidelines to determine if you need this patch:

   If you are using FrontPage 98:

   1. Start FrontPage, then open a web site on the local machine
      by selecting the Open FrontPage Web command from the File menu.
   2. On the Tools Menu, select Web Settings. Select the Configuration tab.
   3. If the value in the "Server Version" field reads "Microsoft-IIS/4.0",
      Microsoft Personal Web Server 4.0 is installed and you should
      apply the patch located at
      http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.
   4. If the value in the "Server Version" field reads
      "FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the
      FrontPage Personal Web Server is installed and you should install
      the patch for FrontPage 98 users of the FrontPage Personal Web Server
      located at
http://officeupdate.microsoft.com/downloadDetails/fppws98.htm.
   5. If the value in the "Server Version" field is any other value, you
      do not need the patch.

   If you are using FrontPage 97:

   1. Start FrontPage, then open a web site on the local machine by
      selecting the Open FrontPage Web command from the File menu.
   2. On the Tools Menu, select Web Settings. Select the Configuration tab.
   3. If the value in the "Server Version" field reads "Microsoft-IIS/4.0",
      Microsoft Personal Web Server 4.0 is installed and you should
      apply the patch at located at
      http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.
   4. If the value in the "Server Version" field reads
      "FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the
      FrontPage Personal Web Server is installed and you should upgrade to
      Microsoft Personal Web Server 4.0, which can be downloaded from
      http://www.microsoft.com/windows/ie/pws/default.htm, then install
      the patch for Microsoft Personal Web Server 4.0 located at
      http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.
      (Users needing remote authoring should follow a different upgrade
      path, detailed in Microsoft Knowledge Base Article Q217765,
      FP97: Security Patch for FrontPage Personal Web Server,
      http://support.microsoft.com/support/kb/articles/q217/7/65.asp)
   5. If the value in the "Server Version" field is any other value, you
      do not need the patch.

   If you are using FrontPage 1.1:

   You need to upgrade to Microsoft Personal Web Server 4.0, which can be
   downloaded from http://www.microsoft.com/windows/ie/pws/default.htm,
   then install the patch for Microsoft Personal Web Server 4.0 located at
   http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.

More Information
================
Please see the following references for more information related to this
issue.
 - Microsoft Security Bulletin MS99-010,
   Patch Available for File Access Vulnerability in Personal
   Web Server (the Web-posted version of this bulletin),
   http://www.microsoft.com/security/bulletins/ms99-010.asp.
 - Microsoft Knowledge Base Article Q216453,
   FP98: Security Patch for FrontPage Personal Web Server,
   http://support.microsoft.com/support/kb/articles/q216/4/53.asp
 - Microsoft Knowledge Base Article Q217765,
   FP97: Security Patch for FrontPage Personal Web Server,
   http://support.microsoft.com/support/kb/articles/q217/7/65.asp
 - Microsoft Knowledge Base Article Q217763,
   File Access Vulnerability in Personal Web Server,
   http://support.microsoft.com/support/kb/articles/q217/7/63.asp

(Note: It might take 24 hours from the original posting of this bulletin for
the KB articles to  be visible in the Web-based Knowledge Base.)

Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please contact
Microsoft Technical Support.  For information on contacting Microsoft
Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.

Revisions
=========
 - March 26, 1999: Bulletin Created


For additional security-related information about Microsoft
products, please visit http://www.microsoft.com/security.


---------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF  ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES  OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION  OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,  CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE  EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING  LIMITATION MAY NOT APPLY.

(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please    visit    http://www.microsoft.com/security/bulletin.htm.    For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.