Microsoft Web Tool Exposes Users

Some users of Microsoft's Web authoring tool may be publishing more than they intend.

Microsoft today acknowledged a security hole in a utility that accompanies its FrontPage Web authoring software. The hole exposes the user's hard drive to intruders who visit the user's Web page.

Only a small number of FrontPage users will have the specific configuration that makes them vulnerable, FrontPage program manager Mike Angiulo said. Those users are utilizing the original version of the Personal Web Server utility running on Windows 95 and 98. Windows NT users are not affected.

Personal Web Server is a tool that lets users effectively turn their personal computers into Web servers. Normally, a Web author designs a site and then posts it to a remote server to inspect it. Personal Web Server lets the user post the site to the Web directly from the PC. The software is not intended for more than the editing and inspection process; for instance, it won't accommodate more than a few dozen simultaneous visitors.

But for FrontPage customers who do use the Personal Web Server to post and serve their sites, a security glitch could reveal any file on their hard drive, provided the intruder knows or guesses the name of that file.

The security glitch lets the Web site visitor enter a URL with a string of dots;

those dots call up documents higher in the file path. Normal security would prevent a Web site visitor from accessing files outside the posted content area, serving up an "access forbidden" error message instead. But FrontPage Personal Web Server is missing that safeguard.

Angiulo said Microsoft programmers were working to post a fix as soon as possible.

The bug only affects the first version of the utility, known as FrontPage Personal Web Server. Subsequent versions, dubbed Microsoft Personal Web Server, are not affected. The first, faulty version ships with all versions of FrontPage, but does not come up as the default Web serving software starting with FrontPage 97.

Microsoft acquired FrontPage and its utility when it bought Vermeer Technologies in 1996.

Related news stories
Microsoft details Office 2000 prices January 5, 1999
 Office 2000 delayed November 5, 1998
 Microsoft details Office features October 22, 1998
 Win 98 bug rankles ISP July 7, 1998
 Feature or bug in FrontPage 98? May 5, 1998
 FrontPage bug latest security hole March 18, 1997


FAQ Articles DirectX Plus98! Downloads Drivers News Archive
Home, Links, Awards, Help, Map, Poll, Newsgroups, Online Chat, Mailing List, Search
Tips & Tricks Guides Bugs & Fixes Themes Reviews Site Contents ActiveIE

HR Line

Copyright (C) 1998-1999 The Active Network. All rights reserved.
Please click here for full terms of use and restrictions.