COMMAND
Personal web server
SYSTEMS AFFECTED
Win 9x with FP PWS and MS PWS
PROBLEM
kiborg found following while playing with Microsoft Personal Web
Server (Frontpage-PWS32/3.0.2.926). He found that the following
URL will list the root directory and be able to download any file
you want:
http://www.victim.com/....../
Index of /....../
WINDOWS
My Documents
Program Files
FrontPage Webs
AUTOEXEC.BAT
COMMAND.COM
and so on....... This bug exists because Windows 9x has a nice
feature. When you excecute "cd .." it goes to the parent
directory, and "cd ..." goes to the parent directory of parent
directory etc. Windows NT has no such feature so it isn't
exploitable. So, IIS 4.0 and PWS 3.0 exploitable while executed
under Windows 9x only, not Windows NT. Personal Web Server does
not check for these "aliases" and allows the request. This can be
used to access files and directories above the virtual web root.
Disabling directory browsing only does what it says, disables
directory browsing. If an attcker can guess a path and name of a
file, and it is in the same drive as the web server, he can
retrieve the file. Rule to remember is that N number of dots
represent N - 1 directories above, in which case '....' is 3
directories above, '.....' is 4 directories above, and so on.
Although some of the affected products are provided as part of
Windows 95 and 98, none are turned on by default. Further, none
of the affected products exhibit the vulnerability when run on
Windows NT.
SOLUTION
I'm not quite sure if I will shot right patch here, but MS99-010
sounds like it. MS highly recommends that customers evaluate the
degree of risk that this vulnerability poses to their systems and
determine whether to download and install the patch. The only
customers who may be affected by this vulnerability are those who
use Windows 95 or 98 to host a personal web site. As noted above,
Windows NT users who host personal web sites are not affected
by this vulnerability. If you are using Windows 95 or 98 to host
a personal web site but have never installed FrontPage:
You are running Microsoft Personal Web Server. Only version
4.0 requires a patch. To determine whether you are running
version 4.0, right-click on the Personal Web Server icon in
the Windows taskbar system tray (next to the System Clock) and
choose Properties. If a dialog box titled "Personal Web
Manager" appears, then you are running Microsoft Personal Web
Server 4.0 and need to install the patch located at
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.
If the title is anything other than "Personal Web Manager", you
do not need the patch.
If you are using Windows 95 or 98 to host a personal web site and
have installed FrontPage:
As detailed in Affected Software Versions, most users of MS
FrontPage are not affected by this vulnerability. Use the
following guidelines to determine if you need this patch:
If you are using FrontPage 98:
------------------------------
1. Start FrontPage, then open a web site on the local machine
by selecting the Open FrontPage Web command from the File
menu.
2. On the Tools Menu, select Web Settings. Select the
Configuration tab.
3. If the value in the "Server Version" field reads
"Microsoft-IIS/4.0", Microsoft Personal Web Server 4.0 is
installed and you should apply the patch located at
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe
4. If the value in the "Server Version" field reads
"FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any
digit), the FrontPage Personal Web Server is installed and
you should install the patch for FrontPage 98 users of the
FrontPage Personal Web Server located at
http://officeupdate.microsoft.com/downloadDetails/fppws98.htm
5. If the value in the "Server Version" field is any other
value, you do not need the patch.
If you are using FrontPage 97:
------------------------------
1. Start FrontPage, then open a web site on the local machine by
selecting the Open FrontPage Web command from the File menu.
2. On the Tools Menu, select Web Settings. Select the
Configuration tab.
3. If the value in the "Server Version" field reads
"Microsoft-IIS/4.0", Microsoft Personal Web Server 4.0 is
installed and you should apply the patch at located at
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe.
4. If the value in the "Server Version" field reads
"FrontPage-PWS32/X.X.X.XXXX" (where the Xs signify any
digit), the FrontPage Personal Web Server is installed and
you should upgrade to Microsoft Personal Web Server 4.0,
which can be downloaded from
http://www.microsoft.com/windows/ie/pws/default.htm
then install the patch for Microsoft Personal Web Server 4.0
located at
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe
(Users needing remote authoring should follow a different
upgrade path, detailed in Microsoft Knowledge Base Article
Q217765, FP97: Security Patch for FrontPage Personal Web
Server)
5. If the value in the "Server Version" field is any other
value, you do not need the patch.
If you are using FrontPage 1.1:
-------------------------------
You need to upgrade to Microsoft Personal Web Server 4.0, which
can be downloaded from
http://www.microsoft.com/windows/ie/pws/default.htm
then install the patch for Microsoft Personal Web Server 4.0
located at
http://support.microsoft.com/download/support/mslfiles/Pwssecup.exe