OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Server Extensions Security Vulnerability 4-20-00 - Microsoft Bulletin
From: Steve (steveSECURESOLUTIONS.ORG)
Date: Sat Apr 22 2000 - 08:13:40 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are writing to you today to notify you of new security
vulnerabilities
recently discovered in all versions of the FrontPage Server
Extensions.

In this bulletin you will find:

- - -- Immediate Issues That You Will Need To Address
- - -- What Microsoft is doing about FrontPage Server Extensions
Security
Issues

- - -- Timeframe for Upcoming Server Extensions Web Releases.
- - -- Fixes Addressed by the Upcoming SR1.1 Web Release
- - -- Sharing This Information With Others in Your Organization

======================================================================
IMMEDIATE ISSUES
======================================================================
IMAGEMAP.EXE AND HTIMAGE.EXE
FrontPage Server Extensions versions prior to FrontPage 2000 ship
with files
called imagemap.exe and htimage.exe, which are server-side NCSA and
CERN
compliant components that support server-side image maps. If
attacked,
these files are vulnerable to buffer overruns, exploits of cross site
scripting, and access to drive path and file information. ALL WEB
PRESENCE
PROVIDERS ON BOTH THE UNIX AND WINDOWS PLATFORMS SHOULD DELETE ALL
OCCURRENCES OF THESE FILES (imagemap.exe and htimage.exe) ON ALL WEB
SERVERS. FrontPage defaults to using client side image maps.
Removing the
files will have minimal or no impact to end user functionality.

FrontPage 2000 defaults to restricting uploads of files to executable
folders. The server side setting is NoExecutableCgiUpload:1. In
order to
control future uploads of the image map files or any other files to
executable folders on the server, configure the NoExecutableCgiUpload
setting. This server side setting is described further in the
FrontPage 2000
Server Extensions resource kit at:
http://officeupdate.microsoft.com/frontpage/wpp/serk/apndx03.htm#apndx
03.doc
- - -1079.

DVWSSR.DLL
Last week, we sent you mail concerning a separate issue with
dvwssr.dll.
This dll found on Windows platforms, provides Link View functionality
to
Visual Interdev 1.0. A buffer overrun issue was detected with this
dll.
WEB PRESENCE PROVIDERS ON WINDOWS PLATFORMS SHOULD REMOVE ALL
OCCURRENCES OF
DVWSSRR.DLL FROM ALL WEB SERVERS. For details see:
http://www.microsoft.com/technet/security/bulletin/fq00-025.asp

WHAT YOU SHOULD DO:
We recommend that you take the following actions over the next month:
1. Delete dvwssr.dll, imagemap.exe, and htimage.exe now.
2. Install SR1.1 when it becomes available, targeted for April 28,
2000
3. Install SR1.2 when it becomes available, targeted for mid-May
2000.

======================================================================
==
WHAT MICROSOFT IS DOING
======================================================================
==
The FrontPage Server Extensions Product Group is working closely with
the
Microsoft Security Response Center to investigate all security
reports
concerning Server Extensions. We are also conducting our own
examination of
Server Extensions components to proactively identify and fix any
vulnerability. Over the past week, we have identified bugs and are
in the
process of fixing them. Listed below are the bugs we are currently
working
on:

Cross Site Scripting Bugs
* shtml.dll allows sending arbitrary html and script to the browser
in some
situations.
* Confirmation Field bots on custom confirm pages not HTML encoding
the
text displayed in some situations

Memory Bugs
* Memory leaks can be encountered when a malformed request is sent
to
shtml.dll, which is the runtime support DLL for active Web components
such
as search bots and discussion bots. Malformed requests can be
generated by
deliberate attacks, but the FrontPage client will never send
malformed
requests. We are adding code to better catch and clean up malformed
requests to block memory leaks due to deliberate attacks.

Permission Bugs
* Restricting NT Account Lists, using RestrictIISUsersandGroups on
Windows
2000 fails because group naming conventions prevent using the : and /
in
group names. We are adding code to enable using groups with
supported
characters. For example FP_www.microsoft.com:80 becomes
FP_www.microsoft.com_80.

======================================================================
==
TIME FRAME FOR UPCOMING SERVER EXTENSIONS WEB RELEASES
======================================================================
==
In order to balance getting Web Presence Providers security fixes and
addressing the backlog of Server Extensions fixes since FrontPage
2000 was
released, we will release two version updates, The first release,
SR1.1 will
address the cross-site scripting security bugs and include all bug
fixes
since FrontPage 2000 shipped. This release will be available in
about one
week. The second release, SR1.2 will address the memory bugs and any
other
non security bugs that did not make the first release. It should be
available about mid-May.

======================================================================
==
BUG FIXES ADDRESSED IN THE SR1.1 WEB RELEASE
======================================================================
==
The SR1.1 Web Release will be available for download from the MSDN
Web site
shortly. This release is not to be confused with the Office SR1
Release
currently available on the Microsoft Web site. We will notify you
upon the
availability of SR1.1 Web Release .

UNIX BUG FIXES

- - --Categories-
* On Alpha Unix platforms, assigning a page to a category would
cause an
Internal Server Error to be generated at the client and the category
would
not be applied to the page.

- - --Components--
* FrontPage hit counter data could be overwritten by users with FTP
or
Telnet access.

* The Include Page component did not ensure uniqueness of image map
names
when the included pages contained image maps with the same name.
This
caused hotspots to be incorrect.

* Confirmation Field bots on custom confirm pages did not display
the form
field entry when used with save to database pages.

- - --Forms--
* SMTP Response using the FrontPage Form Result to Email feature
could
result in an infinite loop and subsequently affect system resources.

* Forms configured to save results as HTML, when Include Field Names
was
disabled, did not write the results to the form.

- - --Lightweight Server Extensions--
* In the Lightweight Server implementation of Server Extensions, the
global
parameters stored in frontpage.cnf were ignored.

- - --Permissions--
* Limiting upload of files to executable folders did not work when a
file
was uploaded to a non-executable folder, and then subsequently moved
to the
executable folder.

- - --Recalculate Hyperlinks--
* Recalculate hyperlinks causes stray slashes to be doubled When
FrontPage
recalculates a web. Subsequent recalcs will double all such slashes,
thus
exponentionally growing the number of slashes in the tag and affect
system
resources.

WINDOWS BUG FIXES

- - --Administration--
* When administering the FrontPage Server Extensions using the
Microsoft
Management Console of Internet Information Server 4.0, the MMC
administration for Server Extensions was grayed out.

* Provisioning a web site using the MMC based administration would
appear
to hang going from the first screen of the wizard to the second
screen.
This problem would get progressively worse as new virtual servers
were
added.

- - --Components--
* The Include Page component did not ensure uniqueness of image map
names
when the included pages contained image maps with the same name.
This
caused hotspots to be incorrect.

* Confirmation Field bots on custom confirm pages did not display
the form
field entry when used with save to database pages.

- - --Forms--
* SMTP Response using the FrontPage Form Result to Email feature
could
result in an infinite loop and subsequently degrade system resources.

- - --Graphic--
* A Background image applied in FrontPage 98 client on a FrontPage
2000-extended Web server was not visible in some circumstances and
the body
tag lost the background attribute set.

* Adding a corrupt jpeg file to a FrontPage-extended Web sometimes
caused
the server CPU to spike to 100% permanently.

- - --Index Server--
* Index Server indexed FrontPage _vti_cnf folders, possibly causing
performance degradation.

- - --Internet Information Server 3.0--
* On Internet Information Server 3.0, a Full Uninstall of the Server
Extensions from one virtual server caused all FrontPage-extended Webs
to
become disabled.

- - --Lightweight Server Extensions--
* In the Lightweight Server implementation of Server Extensions, the
global
parameters stored in registry were ignored.

- - --O'Reilly WebSite Professional --

* For O'Reilly® WebSite Professional(tm) web servers, opening a web
in
FrontPage, or provisioning a new virtual server with Server
Extensions could
take a very long time if the web server hosted hundreds of web sites.

- - --Permissions--
* Limiting upload of files to executable folders did not work when a
file
was uploaded to a non-executable folder, and then subsequently moved
to the
executable folder.

* In a unique circumstance, FrontPage could delete content in a
folder if a
valid Author opens a web and the permissions for the account have
been
modified in Windows Explorer to limit the Author's access the folder.

* FrontPage permissions modifications on subwebs were not updated
when
account permissions were reduced.

- - --Proxies and Firewalls--

* Attempting to open a FrontPage 2000-extended web when connecting
through
certain proxies and firewalls results in a timeout or error saying,
"the
server sent a response which FrontPage could not parse".

- - --Server Extensions Resource Kit (SERK)--

For Windows 2000, the online version of the Server Extensions
Resource Kit
was updated with:

* Instructions for enabling the HTML Administration Forms on Windows
2000.
Without setting the Application Protection setting to Low, the HTML
Admin
forms will not work.

* Instructions for restricting account lists that are enumerated in
the
FrontPage Client. Configuring RestrictIISUsersAndGroups on Windows
2000
will not work as it did on Windows NT 4.0. Information concerning the
fact
that Windows 2000 considers the following characters illegal for
group
creation, \ / \ [ ] : | < > + = ; , ? *.

Please refer to the online SERK for more details at:
http://officeupdate.microsoft.com/frontpage/wpp/serk/

- - --Recalculate Hyperlinks--

* Recalculate hyperlinks causes stray slashes to be doubled When
FrontPage
recalculates a web. Subsequent recalculations will double all such
slashes,
thus exponentionally growing the number of slashes in the tag and
affect
system resources.

As additional information about security issues or updates on web
releases
becomes available, we will pass this along to you.

If you require additional assistance you may contact Microsoft
Support
Services for no-charge Server Extensions support on supported
FrontPage
Server Extensions 24 x 7. For support on the FPSEs or OSEs, just call
1-800-936-4900. You will be asked for your support ID number, which
is:
4129767.

Best regards,

Mark

Microsoft FrontPage
Web Presence Provider Program
fpmarkmicrosoft.com
http://www.microsoft.com/frontpage/wpp

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Microsoft, Windows, and FrontPage are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other
countries. Other product and company names mentioned herein may be
the
trademarks of their respective owners.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

THIS DOCUMENT AND OTHER DOCUMENTS PROVIDED PURSUANT TO THIS PROGRAM
ARE FOR
INFORMATIONAL PURPOSES ONLY. The information type should not be
interpreted
to be a commitment on the part of Microsoft and Microsoft cannot
guarantee
the accuracy of any information presented after the date of
publication.
INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT
WARRANTY OF
ANY KIND. The user assumes the entire risk as to the accuracy and the
use of
this document.

Thank You,

Mark
Microsoft FrontPage
Web Presence Provider Program
fpmarkmicrosoft.com
http://www.microsoft.com/frontpage
- -
- ----------------------------------------------------------------------
- - ------

- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use
<http://www.pgp.com>

iQA/AwUBOQGlVDV9eGvIXwM6EQJaFQCgvZTAfK3fKedbX28F11mzeynLQ/wAniju
+MNiNMjDeSYWmaBVJGaUolxB
=vVwb
- -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOQGlfzV9eGvIXwM6EQIbdwCg+MOrVuzvQn2PXHCTRoFln6Lemc4AnAjy
IidAuloOTXJAdNMGCOZAnlZz
=jvyj
-----END PGP SIGNATURE-----

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net