COMMAND

    Front Page

SYSTEMS AFFECTED

    This bug affects Web sites created with FrontPage 1.1 for  Windows
    and FrontPage 97  with Bonus Pack  for Windows that  are hosted on
    Web servers with  any version of  the FrontPage Server  Extensions
    installed. However, it only  affects those sites that  contain the
    WebBot components described below.

PROBLEM

    There is a bug in  the Microsoft FrontPage Server Extensions  that
    allow knowledgeable users to  potentially add content to  pages on
    a Web site  without permission through  use of raw  HTML. This can
    only happen if:

        1. Someone viewing a Web page has an advanced mastery of HTML
        2. The  Web  site  is  hosted  on  a server that contains  the
           FrontPage server extensions
        3. A Web  page contains a  Save Results WebBot  Component or a
           Discussion WebBot Component

    Since raw HTML is  not filtered out of  entries made in the  entry
    fields of the Save Results or Discussion WebBot Components, it  is
    possible for a knowledgeable person  browsing a site to enter  the
    tags  necessary  to  create  a  form  within  these fields. If the
    results page is then fetched for browsing the newly inserted  form
    will be available for use by anyone browsing the site. The  result
    is that anyone browsing could then append information to pages  in
    the Web site even though they do not have authoring permission.

    Any web  server with  the FrontPage  97 or  1.1 Server  Extensions
    installed and  active FrontPage  webs with  the WebBots  specified
    above  are  potentially  at  risk.  If  the server has server-side
    include capability enabled then the potential exposure is  higher.
    However,  server-side  includes  are  a  Web  server  feature that
    should  be  carefully  evaluated  by  any  Internet  server  owner
    regardless  of  whether  the   FrontPage  Server  Extensions   are
    installed.  Text used here is Microsoft copyright.  For more  info
    check:

        http://www.microsoft.com/security/

SOLUTION

    After isolating the bug and  replicating it MS concluded the  best
    way  to  address  the  issue  was  to  create  new versions of the
    FrontPage 97 Server Extensions. These Server Extensions are  being
    made immediately available  at no charge  to all of  our users via
    download from the FrontPage Web site at

        http://www.microsoft.com/frontpage/softlib/current.htm.

    In addition, MS is in the process of proactively sending a set  of
    the  updated  FrontPage  97  Server  Extensions  to  all  Internet
    Service  Providers  we  know  of  that  are  currently  using  the
    FrontPage Server Extensions,  and they will  also include them  in
    the Windows NT Server Service Pack 3.