FP98: FrontPage 98 Server Extensions DLL Exposes Security Vulnerability (259799)

SYMPTOMS

The Dvwssr.dll file, which is included in several Web server products, does not perform access-control checks correctly. Because of this, there is a possibility that a user with Web Authoring permissions on a Web site can view ASP files that belong to other Web sites hosted on the same computer, if that user has read permissions on those files.

NOTE: This problem only occurs on a computer that is running Microsoft Internet Information Server (IIS). This problem does not occur when you run the FrontPage 98 Server Extensions on a UNIX-based Web server.

RESOLUTION

To eliminate this vulnerability, delete all copies of the Dvwssr.dll file from your computer. When you do this, the only functionality that is lost is the ability to generate a link view by using Visual InterDev 1.0. In the FrontPage 98 Server Extensions, the DLL is found in the following location:

_vti_bin\_vti_aut\Dvwssr.dll

Other resolutions for this issue include the following:

Upgrade to FrontPage 2000 Server Extensions.
Install Office 2000 Server Extensions.
Upgrade from Microsoft Windows NT 4.0 Server to Microsoft Windows 2000.

MORE INFORMATION

The Dvwssr.dll file is included with FrontPage 98, the FrontPage 98 Server Extensions, and the Windows NT 4.0 Option Pack (which also includes the FrontPage 98 Server Extensions). The Dvwssr.dll file is not included with FrontPage 2000, the FrontPage 2000 Server Extensions, Windows 2000, or Microsoft Internet Information Services 5.0.

The Dvwssr.dll file is a server-side component that enables access to files on the server for the Link View feature in Visual Interdev 97 (Visual Interdev 1.0). Access to the DLL is permitted to users who have Web Authoring permissions on any FrontPage Web on the server. Therefore, a user can use this DLL to view files on other FrontPage Webs on the same server that they do not have permissions to, provided that the user knows the location of the file.

Upgrading from the Windows NT 4.0 Option Pack to Windows 2000 removes the DLL from active use in the Web. The DLL is still on the system in the Program Files/Microsoft FrontPage directory, but the file is no longer accessible through HTTP, which eliminates the security vulnerability.

There are some significant restrictions to this vulnerability, as follows:

Only servers that are hosting multiple Web sites can be affected.
Only a user who has Web Authoring permissions on at least one site on the server can request a file. That user also needs to know the name and location of the file on the server.
Only ASP files (and the Global.asa file, which is a special-case ASP file) can be retrieved.
The files are only sent if the user who requests the files has read permissions on them. In most cases, this means that the files have read permissions granted to the Everyone group.

Affected Software and Versions

The affected component is part of Visual Interdev 1.0. However, it is a server-side component and is included in the following products:

Windows NT 4.0 Option Pack
Personal Web Server 4.0, which is included with Microsoft Windows 95 and Microsoft Windows 98

For more information about this issue, please see the following references: