Date: Sat, 27 Mar 1999 11:29:56 -0800 From: aleph1@UNDERGROUND.ORG To: BUGTRAQ@netspace.org Subject: Microsoft Security Bulletin (MS99-010) The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Microsoft Security Bulletin (MS99-010) -------------------------------------- Patch Available for File Access Vulnerability in Personal Web Server Originally Posted: March 26, 1999 Summary ======= Microsoft has released a patch that eliminates a vulnerability in certain versions of Personal Web Server running under Windows (c) 95 or Windows 98, which could allow files on the server to be read by an unauthorized user who knew the name of the file and requested it via a specific non-standard URL. Users running web server products on Microsoft Windows NT (c) are not affected. A fully supported patch is available to fix this vulnerability, and Microsoft recommends that customers download and install it if appropriate. Issue ===== This vulnerability allows a file request that uses a non-standard URL to bypass the server's normal file access controls. The file must be specifically requested by name, so the requester would need to know the name of the file or correctly guess it. The vulnerability would allow files on the server to be read, but not changed or deleted, and would not allow new files to be written to the server. The vulnerability does not usurp any administrative privileges on the server. Although some of the affected products are provided as part of Windows 95 and 98, none are turned on by default. Further, none of the affected products exhibit the vulnerability when run on Windows NT. While there have not been any reports of customers being adversely affected by these problems, Microsoft is releasing a patch to proactively address this issue. Affected Software Versions ========================== This vulnerability involves two different products with similar names: Microsoft (r) Personal Web Server and FrontPage (r) Personal Web Server. The products can be installed on Windows 95, 98 or Windows NT; however, none of the products are affected by this vulnerability if installed on Windows NT. - Microsoft Personal Web Server is available as part of Windows 98 and the Windows NT Option Pack (which can be installed on Windows 95 and 98, as well as Windows NT). Microsoft Personal Web Server 4.0 is the only version affected by the vulnerability. - There is only one version of FrontPage Personal Web Server, which shipped as part of Microsoft FrontPage 1.1, FrontPage 97, and FrontPage 98. It is affected by this vulnerability. Note: Most FrontPage users will not be affected by this vulnerability. FrontPage 97 and 98 include two personal web servers - FrontPage Personal Web Server and Microsoft Personal Web Server 2.0 - and by default install the latter, which is not affected by the vulnerability. FrontPage 1.1 does install the FrontPage Personal Web Server by default. What Microsoft is Doing ======================= Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do. Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more information about this free customer service. Microsoft has published the following Knowledge Base (KB) articles on this issue: - Microsoft Knowledge Base (KB) article Q216453, FP98: Security Patch for FrontPage Personal Web Server, http://support.microsoft.com/support/kb/articles/q216/4/53.asp. - Microsoft Knowledge Base (KB) article Q217765, FP97: Security Patch for FrontPage Personal Web Server, http://support.microsoft.com/support/kb/articles/q217/7/65.asp. - Microsoft Knowledge Base (KB) article Q217763, File Access Vulnerability in Personal Web Server, http://support.microsoft.com/support/kb/articles/q217/7/63.asp (Note: It might take 24 hours from the original posting of this bulletin for the KB articles to be visible in the Web-based Knowledge Base.) What Customers Should Do ======================== Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the patch. The only customers who may be affected by this vulnerability are those who use Windows 95 or 98 to host a personal web site. As noted above, Windows NT users who host personal web sites are not affected by this vulnerability. If you are using Windows 95 or 98 to host a personal web site but have never installed FrontPage: You are running Microsoft Personal Web Server. Only version 4.0 requires a patch. To determine whether you are running version 4.0, right-click on the Personal Web Server icon in the Windows taskbar system tray (next to the System Clock) and choose Properties. If a dialog box titled "Personal Web Manager" appears, then you are running Microsoft Personal Web Server 4.0 and need to install the patch located at http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe. If the title is anything other than "Personal Web Manager", you do not need the patch. If you are using Windows 95 or 98 to host a personal web site and have installed FrontPage: As detailed in Affected Software Versions, most users of Microsoft FrontPage are not affected by this vulnerability. Use the following guidelines to determine if you need this patch: If you are using FrontPage 98: 1. Start FrontPage, then open a web site on the local machine by selecting the Open FrontPage Web command from the File menu. 2. On the Tools Menu, select Web Settings. Select the Configuration tab. 3. If the value in the "Server Version" field reads "Microsoft-IIS/4.0", Microsoft Personal Web Server 4.0 is installed and you should apply the patch located at http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe. 4. If the value in the "Server Version" field reads "FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the FrontPage Personal Web Server is installed and you should install the patch for FrontPage 98 users of the FrontPage Personal Web Server located at http://officeupdate.microsoft.com/downloadDetails/fppws98.htm. 5. If the value in the "Server Version" field is any other value, you do not need the patch. If you are using FrontPage 97: 1. Start FrontPage, then open a web site on the local machine by selecting the Open FrontPage Web command from the File menu. 2. On the Tools Menu, select Web Settings. Select the Configuration tab. 3. If the value in the "Server Version" field reads "Microsoft-IIS/4.0", Microsoft Personal Web Server 4.0 is installed and you should apply the patch at located at http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe. 4. If the value in the "Server Version" field reads "FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any digit), the FrontPage Personal Web Server is installed and you should upgrade to Microsoft Personal Web Server 4.0, which can be downloaded from http://www.microsoft.com/windows/ie/pws/default.htm, then install the patch for Microsoft Personal Web Server 4.0 located at http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe. (Users needing remote authoring should follow a different upgrade path, detailed in Microsoft Knowledge Base Article Q217765, FP97: Security Patch for FrontPage Personal Web Server, http://support.microsoft.com/support/kb/articles/q217/7/65.asp) 5. If the value in the "Server Version" field is any other value, you do not need the patch. If you are using FrontPage 1.1: You need to upgrade to Microsoft Personal Web Server 4.0, which can be downloaded from http://www.microsoft.com/windows/ie/pws/default.htm, then install the patch for Microsoft Personal Web Server 4.0 located at http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-010, Patch Available for File Access Vulnerability in Personal Web Server (the Web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms99-010.asp. - Microsoft Knowledge Base Article Q216453, FP98: Security Patch for FrontPage Personal Web Server, http://support.microsoft.com/support/kb/articles/q216/4/53.asp - Microsoft Knowledge Base Article Q217765, FP97: Security Patch for FrontPage Personal Web Server, http://support.microsoft.com/support/kb/articles/q217/7/65.asp - Microsoft Knowledge Base Article Q217763, File Access Vulnerability in Personal Web Server, http://support.microsoft.com/support/kb/articles/q217/7/63.asp (Note: It might take 24 hours from the original posting of this bulletin for the KB articles to be visible in the Web-based Knowledge Base.) Obtaining Support on this Issue =============================== If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp. Revisions ========= - March 26, 1999: Bulletin Created For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security. --------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.