Modification Security Issue
I hear there is a possible
security issue with FrontPage, what’s the story?
Microsoft has uncovered a bug in the Microsoft
FrontPage Server Extensions that allow knowledgeable
users to potentially add content to pages on a Web site
without permission through use of raw HTML. This can only
- Someone viewing a Web
page has an advanced mastery of HTML
- The Web site is
hosted on a server that contains the FrontPage
- A Web page contains a
Save Results WebBot Component or a Discussion
Can you be more
specific than that?
Since raw HTML is not filtered out of entries made in
the entry fields of the Save Results or Discussion WebBot
Components, it is possible for a knowledgeable person
browsing a site to enter the tags necessary to create a
form within these fields. If the results page is then
fetched for browsing the newly inserted form will be
available for use by anyone browsing the site. The result
is that anyone browsing could then append information to
pages in the Web site even though they do not have
How is this issue being
After isolating the bug and replicating it we
concluded the best way to address the issue was to create
new versions of the FrontPage 97 Server Extensions. These
Server Extensions are being made immediately available at
no charge to all of our users via download from the
FrontPage Web site at http://www.microsoft.com/frontpage/softlib/current.htm. In addition, we are in the process
of proactively sending a set of the updated FrontPage 97
Server Extensions to all Internet Service Providers we
know of that are currently using the FrontPage Server
Extensions, and we will also include them in the Windows
NT Server Service Pack 3.
When did you find out
This issue came to our attention within the last two
weeks from a Microsoft employee creating a Web site with
FrontPage. Since then we have been confirming and
replicating the error to ensure that it was not an
isolated incident. As far as we know, this issue has
affected no one outside of Microsoft.
As with any bug that comes
to our attention, we feel it is our responsibility and
obligation to inform our users of any known bugs that
affect the usage of the product as soon as we can confirm
and replicate them.
What versions of
FrontPage does this affect?
This bug affects Web sites created with FrontPage 1.1
for Windows and FrontPage 97 with Bonus Pack for Windows
that are hosted on Web servers with any version of the
FrontPage Server Extensions installed. However, it
only affects those sites that contain the WebBot
components described above.
Does it matter what
type of Web server my site is hosted on in determining
whether this will affect my site?
Any web server with the FrontPage 97 or 1.1 Server
Extensions installed and active FrontPage webs with the
WebBots specified above are potentially at risk. If the
server has server-side include capability enabled then
the potential exposure is higher. However, server-side
includes are a Web server feature that should be
carefully evaluated by any Internet server owner
regardless of whether the FrontPage Server Extensions are
I have FrontPage (1.1
or 97) for Windows installed on my workstation, do I need
to update my copy of FrontPage?
This issue is most likely to be a problem for
Internet Service Providers who are hosting webs on the
Internet with the FrontPage Server Extensions. However,
FrontPage 97 automatically installs a web server onto the
workstation in order to store Web sites on the
workstation for local authoring and staging. Consequently
each workstation with FrontPage 97 should be upgraded
with the new version of the FrontPage 97 Server
Extensions for maximum security. If your workstation does
not have a full-time connection to the Internet and you
connect occasionally through a modem then the risk of
exposure is low but still present, and Microsoft
recommends that you install the new Server Extensions.
So what should I do
As mentioned above, we have created new Server
Extensions that address this issue. These Server Extensions are
immediately available at no charge.
We strongly encourage
anyone who has a Web server with the current FrontPage
Server Extensions on them to take advantage of this free
upgrade. The new Server Extensions disallow entry of raw
HTML into the WebBot Components in question, thereby
eliminating this issue completely.
There are two different
versions of the upgraded FrontPage Server Extensions:
FrontPage 97 Server
Extensions for Windows setup.
All owners of
the FrontPage retail box should install this
setup in order to update the copy of the
FrontPage server extensions on the local
workstation. All new Windows installations of the
FrontPage Server Extensions should use this new
version of the FrontPage 97 Server Extensions
setup. ISPs hosting FrontPage webs can also use
this setup, but see below for more ISP
FrontPage 97 Server
Extensions for UNIX.
The FrontPage 97 Server Extensions for UNIX have
been updated for all supported platforms. These
should be installed in place of the existing
server extension installations.
I’m a Windows
NT-based ISP hosting FrontPage Webs. What’s the Best
Way for me to upgrade my servers?
ISPs that are hosting FrontPage webs on Windows NT
Servers using the Microsoft Internet Information Server
can install the FrontPage 97 Server Extensions for
Windows setup mentioned above. This setup will correctly
upgrade the extensions, however it may cause excessive
downtime on the server.
Microsoft is sensitive to
this problem and therefore has produced a separate set of
instructions for upgrading a server manually* without causing
*IMPORTANT NOTE: Unless
you are an ISP with hundreds of Web sites on a server,
there is no reason to perform the manual steps mentioned
directly above, as the time saved will be negligible.
Are any other Microsoft
Visual InterDev version 1.0, which is included in Visual Studio 97, includes the FrontPage 97 Server
Extensions. Although Visual InterDev does not make use of
the FrontPage Save Results WebBot Component, the copy of
the server extensions installed with Visual InterDev
should be updated with the fix.
If I cannot install the
new Server Extensions immediately, is there a short-term
A short-term workaround that addresses this issue is
to not use the FrontPage Save Results or Discussion
WebBot Component in any Web site created with FrontPage
1.1 or FrontPage 97. However, we recommend you install
the updated version of the FrontPage Server Extensions as
soon as you can.