[101] in Best-of-Security
BoS: Hotflash: FrontPage Server Extensions Security Issue (fwd)
daemon@ATHENA.MIT.EDU (Deprived)
Mon Mar 31 15:13:36 1997
Date: Sat, 29 Mar 1997 03:11:43 -0800 (PST)
From: Deprived <jerry@terrorist.org>
Reply-To: best-of-security@suburbia.net
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
This one hadn't popped up here (that I've seen at least).
-----Original Message-----
From: Mark Lawrence
Sent: Wednesday, March 19, 1997 2:06 PM
To: Premier Product Info Distribution
Subject: Hotflash: FrontPage Server Extensions Security Issue
Microsoft FrontPage Modification Security Issue
Details are available at the Security Advisory Program Website:
http://www.microsoft.com/security/
Microsoft has uncovered a bug in the Microsoft FrontPage Server
Extensions that allow knowledgeable users to potentially add content to
pages on a Web site without permission through use of raw HTML. This can
only happen if:
1. Someone viewing a Web page has an advanced mastery of HTML
2. The Web site is hosted on a server that contains the FrontPage server
extensions
3. A Web page contains a Save Results WebBot Component or a Discussion
WebBot Component
Specifics: Since raw HTML is not filtered out of entries made in the
entry fields of the Save Results or Discussion WebBot Components, it is
possible for a knowledgeable person browsing a site to enter the tags
necessary to create a form within these fields. If the results page is
then fetched for browsing the newly inserted form will be available for
use by anyone browsing the site. The result is that anyone browsing
could then append information to pages in the Web site even though they
do not have authoring permission.
Microsoft Actions: After isolating the bug and replicating it we
concluded the best way to address the issue was to create new versions
of the FrontPage 97 Server Extensions. These Server Extensions are being
made immediately available at no charge to all of our users via download
from the FrontPage Web site at
http://www.microsoft.com/frontpage/softlib/current.htm. In addition, we
are in the process of proactively sending a set of the updated FrontPage
97 Server Extensions to all Internet Service Providers we know of that
are currently using the FrontPage Server Extensions, and we will also
include them in the Windows NT Server Service Pack 3.
How was this discovered? This issue came to our attention within the
last two weeks from a Microsoft employee creating a Web site with
FrontPage. Since then we have been confirming and replicating the error
to ensure that it was not an isolated incident. As far as we know, this
issue has affected no one outside of Microsoft.
<><><><><><><>
As with any bug that comes to our attention, we feel it is our
responsibility and obligation to inform our users of any known bugs that
affect the usage of the product as soon as we can confirm and replicate
them.
What versions of FrontPage does this affect?
This bug affects Web sites created with FrontPage 1.1 for Windows and
FrontPage 97 with Bonus Pack for Windows that are hosted on Web servers
with any version of the FrontPage Server Extensions installed. However,
it only affects those sites that contain the WebBot components described
above.
Any web server with the FrontPage 97 or 1.1 Server Extensions installed
and active FrontPage webs with the WebBots specified above are
potentially at risk. If the server has server-side include capability
enabled then the potential exposure is higher. However, server-side
includes are a Web server feature that should be carefully evaluated by
any Internet server owner regardless of whether the FrontPage Server
Extensions are installed.
<><><><><><><>
The Microsoft Security Advisory Program Web site has links to all
security issues and questions on:
Macro Virii
Internet Explorer
Java
ActiveX
...and additional security resources. Check the Security Advisory
Program Web site now:
http://www.microsoft.com/security/
Mark Lawrence
Microsoft Premier Support
Internet Applications PIL
Mark Lawrence (marklaw@microsoft.com)
Internet Applications ProductInfoLead
Tech Acct Mgr, Microsoft Premier Support
