When you think ASP, think...
Recent Articles
All Articles
ASP.NET Articles
ASPFAQs.com
Message Board
Related Web Technologies
User Tips!
Coding Tips

Sections:
Sample Chapters
Commonly Asked Message Board Questions
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Security
Stump the SQL Guru!
XML Info
Information:
Feedback
Author an Article
ASP ASP.NET ASP FAQs Message Board Feedback
Print this page.
Published: Sunday, April 16, 2000

Microsoft FrontPage 98 Security Hole?


On April 14th, a vulnerability in Microsoft's FrontPage 98 Server Extensions was reported. The security hole, reported by News.com, described the hole as follows:

- continued -

The back door was included in software shipped with Microsoft's Windows NT operating system, the company confirmed. Hackers knowing how to exploit the vulnerability could access any site using FrontPage 98 extensions, Microsoft said. FrontPage, a Web authoring and site management software package, requires that special software code--or extensions--be present on the Web site for all features to be available.

To exploit the weakness, a hacker would also need authoring privileges on a particular Web server. By accessing a single file, called "dvwssr.dll," the hacker could write a script allowing access to many more files on the site.
[Taken from Microsoft secret file could allow access to Web sites]

Supposedly there was a backdoor problem: someone who requested a document from a Web server using FrontPage 98 Server Extensions using the user name NetscapeEngineersAreWeenies could look at any ASP page's source.

Microsoft, eager to resolve this issue, set its team of engineers at full speed to locate this vulnerability and patch it up. The results? No backdoor was found; the "weenie" username worked only on insecure systems, where any username would have worked.

In Microsoft's commitment to locate the problem, however, they did unearth a buffer-related error with dvwssr.dll. Microsoft currently has a security bulletin up and a FAQ about this buffer overflow error.


Related Links

  • A good discussion of the buffer overflow can be seen at NTBugTraq: http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0004&L=ntbugtraq&F=&S=&P=3594
  • There is a good discussion on the issue at Slashdot.

    More on this as it becomes available...


  • ASP.NET [1.x] [2.0] | ASPMessageboard.com | ASPFAQs.com | Advertise | Feedback | Author an Article