Microsoft Web tool exposes users

Microsoft today acknowledged a security hole in a utility that accompanies its FrontPage Web authoring software. The hole exposes the user's hard drive to intruders who visit the user's Web page.

Only a small number of FrontPage users will have the specific configuration that makes them vulnerable, FrontPage program manager Mike Angiulo said. Those users are utilizing the original version of the Personal Web Server utility running on Windows 95 and 98. Windows NT users are not affected.

Personal Web Server is a tool that lets users effectively turn their personal computers into Web servers. Normally, a Web author designs a site and then posts it to a remote server to inspect it. Personal Web Server lets the user post the site to the Web directly from the PC. The software is not intended for more than the editing and inspection process; for instance, it won't accommodate more than a few dozen simultaneous visitors.

But for FrontPage customers who do use the Personal Web Server to post and serve their sites, a security glitch could reveal any file on their hard drive, provided the intruder knows or guesses the name of that file.

The security glitch lets the Web site visitor enter a URL with a string of dots; those dots call up documents higher in the file path. Normal security would prevent a Web site visitor from accessing files outside the posted content area, serving up an "access forbidden" error message instead. But FrontPage Personal Web Server is missing that safeguard.

Angiulo said Microsoft programmers were working to post a fix as soon as possible.

The bug only affects the first version of the utility, known as FrontPage Personal Web Server. Subsequent versions, dubbed Microsoft Personal Web Server, are not affected. The first, faulty version ships with all versions of FrontPage, but does not come up as the default Web serving software starting with FrontPage 97.

Microsoft acquired FrontPage and its utility when it bought Vermeer Technologies in 1996.