| Microsoft FrontPage |
Modification Security Issue
I hear there is a possible security issue with FrontPage, what’s the story?
Microsoft has uncovered a bug in the Microsoft FrontPage Server Extensions that allow knowledgeable users to potentially add content to pages on a Web site without permission through use of raw HTML. This can only happen if:
- Someone viewing a Web page has an advanced mastery of HTML
- The Web site is hosted on a server that contains the FrontPage server extensions
- A Web page contains a Save Results WebBot Component or a Discussion WebBot Component
Can you be more specific than that?
Since raw HTML is not filtered out of entries made in the entry fields of the Save Results or Discussion WebBot Components, it is possible for a knowledgeable person browsing a site to enter the tags necessary to create a form within these fields. If the results page is then fetched for browsing the newly inserted form will be available for use by anyone browsing the site. The result is that anyone browsing could then append information to pages in the Web site even though they do not have authoring permission.
How is this issue being addressed?
After isolating the bug and replicating it we concluded the best way to address the issue was to create new versions of the FrontPage 97 Server Extensions. These Server Extensions are being made immediately available at no charge to all of our users via download from the FrontPage Web site at http://www.microsoft.com/frontpage/softlib/current.htm. In addition, we are in the process of proactively sending a set of the updated FrontPage 97 Server Extensions to all Internet Service Providers we know of that are currently using the FrontPage Server Extensions, and we will also include them in the Windows NT Server Service Pack 3.
When did you find out about this?
This issue came to our attention within the last two weeks from a Microsoft employee creating a Web site with FrontPage. Since then we have been confirming and replicating the error to ensure that it was not an isolated incident. As far as we know, this issue has affected no one outside of Microsoft.
As with any bug that comes to our attention, we feel it is our responsibility and obligation to inform our users of any known bugs that affect the usage of the product as soon as we can confirm and replicate them.
What versions of FrontPage does this affect?
This bug affects Web sites created with FrontPage 1.1 for Windows and FrontPage 97 with Bonus Pack for Windows that are hosted on Web servers with any version of the FrontPage Server Extensions installed. However, it only affects those sites that contain the WebBot components described above.
Does it matter what type of Web server my site is hosted on in determining whether this will affect my site?
Any web server with the FrontPage 97 or 1.1 Server Extensions installed and active FrontPage webs with the WebBots specified above are potentially at risk. If the server has server-side include capability enabled then the potential exposure is higher. However, server-side includes are a Web server feature that should be carefully evaluated by any Internet server owner regardless of whether the FrontPage Server Extensions are installed.
I have FrontPage (1.1 or 97) for Windows installed on my workstation, do I need to update my copy of FrontPage?
This issue is most likely to be a problem for Internet Service Providers who are hosting webs on the Internet with the FrontPage Server Extensions. However, FrontPage 97 automatically installs a web server onto the workstation in order to store Web sites on the workstation for local authoring and staging. Consequently each workstation with FrontPage 97 should be upgraded with the new version of the FrontPage 97 Server Extensions for maximum security. If your workstation does not have a full-time connection to the Internet and you connect occasionally through a modem then the risk of exposure is low but still present, and Microsoft recommends that you install the new Server Extensions.
So what should I do now?
As mentioned above, we have created new Server Extensions that address this issue. These Server Extensions are immediately available at no charge.
We strongly encourage anyone who has a Web server with the current FrontPage Server Extensions on them to take advantage of this free upgrade. The new Server Extensions disallow entry of raw HTML into the WebBot Components in question, thereby eliminating this issue completely.
There are two different versions of the upgraded FrontPage Server Extensions:
- FrontPage 97 Server Extensions for Windows setup.
All owners of the FrontPage retail box should install this setup in order to update the copy of the FrontPage server extensions on the local workstation. All new Windows installations of the FrontPage Server Extensions should use this new version of the FrontPage 97 Server Extensions setup. ISPs hosting FrontPage webs can also use this setup, but see below for more ISP information.
- FrontPage 97 Server Extensions for UNIX.
The FrontPage 97 Server Extensions for UNIX have been updated for all supported platforms. These should be installed in place of the existing server extension installations.
I’m a Windows NT-based ISP hosting FrontPage Webs. What’s the Best Way for me to upgrade my servers?
ISPs that are hosting FrontPage webs on Windows NT Servers using the Microsoft Internet Information Server can install the FrontPage 97 Server Extensions for Windows setup mentioned above. This setup will correctly upgrade the extensions, however it may cause excessive downtime on the server.
Microsoft is sensitive to this problem and therefore has produced a separate set of instructions for upgrading a server manually* without causing significant downtime.
*IMPORTANT NOTE: Unless you are an ISP with hundreds of Web sites on a server, there is no reason to perform the manual steps mentioned directly above, as the time saved will be negligible.
Are any other Microsoft products affected?
Visual InterDev version 1.0, which is included in Visual Studio 97, includes the FrontPage 97 Server Extensions. Although Visual InterDev does not make use of the FrontPage Save Results WebBot Component, the copy of the server extensions installed with Visual InterDev should be updated with the fix.
If I cannot install the new Server Extensions immediately, is there a short-term workaround?
A short-term workaround that addresses this issue is to not use the FrontPage Save Results or Discussion WebBot Component in any Web site created with FrontPage 1.1 or FrontPage 97. However, we recommend you install the updated version of the FrontPage Server Extensions as soon as you can.