COMMAND
PWS/FP98
SYSTEMS AFFECTED
Win 95, 98, NT?
PROBLEM
Richard M. Smith discovered what is believed a serious security
hole in the version of Microsoft's Personal Web Server (PWS) that
ships with FrontPage 98. This security hole appears to allow a
JavaScript macro embedded in an HTML Email message to become the
PWS system administrator and change settings in PWS. One
particularity bad thing that a JavaScript macro can do is to
expose an entire hard disk as HTTP directory allowing outsiders
to view and copy any file from the hard disk. This attack will
be executed in most HTML-based Email readers simply when a message
is read contain the malicious JavaScript code.
There's a simple set of tests that anyone can try who is running
PWS on their computer. These test involve simply clicking on Web
links in this message (you have to make them HTML). If the PWS
system administrator pages come up in your Web browser, then a
system is likely to be vulnerable. Here are tests:
Test #1: Is the PWS home page visible?
http://localhost
Test #2: Is the main PWS system administrator page visible?
http://localhost/HtmlaScripts/htmla.dll?http/serv
Test #3: Is the PWS directories page visible?
http://localhost/HtmlaScripts/htmla.dll?http/dir
Test #4: Is the add directory page visible?
http://localhost/HtmlaScripts/htmla.dll?http/diradd
The actually security hole Richard found is that a JavaScript
macro goes to the link specified in Test 4 and does an HTML form
submit that maps disk directory C:\ to the HTTP directory C. Once
this is done, a Web browser running on another computer can view
and copy any file on drive C: using the URL http://a.b.c.d/C/
where a.b.c.d is the IP address of the system that has been
compromised.
SOLUTION
After installing PWS that comes with FP98, re-install the NT SP3.
It will upgrade PWS to 3.0 which seems to be free of that bug.
And, PWS 3.0 and 4.0 supports Web-browser system administration.