[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Something for the techies to chew on

  Here's a post I just got in from a webmaster's list.  I
  thought the techies here would be interested, and it is of
  general interest to the background of this ongoing discussion.
  It particularly concerns security.  My question is why does
  Microsoft seem to keep on putting software on the market that
  allows unimpeded access to a remote user's hard drive?  Do they
  have a motive?
  <post follows>
  Another  FrontPage Bug. This one is NOT COOL!!! at all...
  -----Original Message-----
  Date: Wednesday, November 19, 1997 9:20 AM
  Subject: [PWA-L] A Serious Bug with MS Frontpage & Personal Server
  >93 All:
  >A Colleague sent this too me.  I trust him, but as I do not have (or
  >want) FrontPage, this has not been verified by muself personally.
  >RE Telephone call on 18/11/97 regarding the security of Microsoft's
  >FrontPage 97 and the Personal Web server.
  >After receiving an anonymous malicious posting to my companies web
  >discussion forum, I decided to trace the individual to his ISP with the
  >intention of asking for an apology. By using the DNS number captured in
  >the discussion posting and feeding it into my Netscape Navigator Browser
  >to find out who their ISP was, you can imagine my shock when I found
  >myself faced by a Personal Web Server Network Administrator HTML page on
  >hard drive. I disconnected immediately.
  >Because I use FrontPage 97 myself I also have a copy of the Personal Web
  >Server. I checked to see if it was possible to gain access to my
  >computer while I was connected to the Internet whilst the PWS was
  >running. I asked a colleague to dial up to the Internet while I was also
  >connected and by using my dns number he arrived at my default page
  >screen with out being challenged. He was then able to go to the Web
  >Server Network Administrator function and change it to allow full
  >anonymous FTP access to my files contained upon my hard disk. He was
  >even able to change the path of the shared directory and log files
  >giving him full anonymity and almost total control of my PC.
  >All this is possible using the default installation settings for the PWS
  >which allows remote user browse access. If at this point the intruder
  >has any experience of FrontPage he can then go to
  >http://MYDNSNUMBER/htmla/htmla.htm and alter the configuration settings.
  >no point does it warn you of this possible security risk.
  >My computer runs Windows 95. It should be pointed out that the
  >possibility of NT, which ships with the PWS as a standard component may
  >be vulnerable to the same attack.
  ><Name & Contact Info deleted>
  Team OS/2
  MoonWolf Enterprises
  Edward R. Mortimer moonwolf@earthling.net
  The Land of Beyond  http://www.trailerpark.com/moonwalk/moonwolf/index.html