FrontPage 2000 Exposes Windows 2000 Accounts
Reported April 21, 2000 by Paul Rogers
When a valid FrontPage user connects to a remote Web using a FrontPage client, that user can obtain a list of account names.
This particular security risk first appeared under NT 4.0, IIS 4.0, and FrontPage 98, where it was apparently carried over to the new platform unchecked. The workaround information for the NT 4.0 platform does not work on Windows 2000 platforms.
Open FrontPage 2000, connect to your remote Web, then click Tools, Security, Permissions, and then Add on the Users tab. A list of accounts on the remote serer will be displayed.
According to BugNet, Microsoft is working on a patch for the matter, however at the time of this writing it was not known when the patch would become available.
Discovered and reported by Paul Rogers