Microsoft Web Tool Exposes Users
Some users of Microsoft's Web authoring tool may be publishing more than they intend.
Microsoft today acknowledged a security hole in a utility that accompanies its FrontPage Web authoring software. The hole exposes the user's hard drive to intruders who visit the user's Web page.
Only a small number of FrontPage users will have the specific configuration that makes them vulnerable, FrontPage program manager Mike Angiulo said. Those users are utilizing the original version of the Personal Web Server utility running on Windows 95 and 98. Windows NT users are not affected.
Personal Web Server is a tool that lets users effectively turn their personal computers into Web servers. Normally, a Web author designs a site and then posts it to a remote server to inspect it. Personal Web Server lets the user post the site to the Web directly from the PC. The software is not intended for more than the editing and inspection process; for instance, it won't accommodate more than a few dozen simultaneous visitors.
But for FrontPage customers who do use the Personal Web Server to post and serve their sites, a security glitch could reveal any file on their hard drive, provided the intruder knows or guesses the name of that file.
The security glitch lets the Web site visitor enter a URL with a string of dots;
those dots call up documents higher in the file path. Normal security would prevent a Web site visitor from accessing files outside the posted content area, serving up an "access forbidden" error message instead. But FrontPage Personal Web Server is missing that safeguard.Angiulo said Microsoft programmers were working to post a fix as soon as possible.
The bug only affects the first version of the utility, known as FrontPage Personal Web Server. Subsequent versions, dubbed Microsoft Personal Web Server, are not affected. The first, faulty version ships with all versions of FrontPage, but does not come up as the default Web serving software starting with FrontPage 97.
Microsoft acquired FrontPage and its utility when it bought Vermeer Technologies in 1996.
Related news stories
• Microsoft
details Office 2000 prices January
5, 1999
• Office
2000 delayed November
5, 1998
• Microsoft
details Office features October
22, 1998
• Win
98 bug rankles ISP July
7, 1998
• Feature
or bug in FrontPage 98? May
5, 1998
• FrontPage
bug latest security hole March
18, 1997
Copyright (C)
1998-1999 The Active Network. All rights reserved.
Please click here for
full terms of use and restrictions.