Discussions on a list group "NTBugTraq" have alerted about a vulnerability involving an installed ISAPI .dll named "dvwssr.dll" and the ability to hack this file to download source files and/or software from a web server.

This DLL is a "Microsoft Design Tool - Link View" library file which is supported by Visual Interdev 1.0. This application helps Webmasters track broken links. The file DVWSSR.DLL is installed by default to specific locations on a system if MS Frontpage Server Extensions and/or MS Personal WebServer are installed to the following locations:

\_vti_bin\_vti_aut
\version3.0\isapi\_vti_bin\_vti_aut

This file is also installed by Windows NT 4.0 Options Kit. The size is 6416 bytes with versions 1.0.0.2503 or 1.0.0.2503A. According to information posted to NTBugTraq, which has also been confirmed by Microsoft:

"this is a hole that could allow information to be manipulated by 'others'. However, its limited to 'others' who already have web authoring permissions on the same box."

The vulnerability itself would allow someone authoring privileges over Active Server Pages (.asp) which may exist on the server which also may belong to other websites which are hosted on the same system. This alone would compound the problem exponentially.

Additionally according to NTBugTraq, an example of the vulnerability could be relayed this way:

If security has been placed on the web server such that only files owned by websiteA could be modified only by websiteA and files belonging to websiteB can only be modified by owners of websiteB, but by the usage of dvwssr.dll, websiteA could possibly modify files belonging to websiteB. The possibility of exploitation is limited to users who have already been granted web authoring permissions on the box (via Front Page Permissions) using Interdev software.

In the lastest information available, it has been determined that permissions for the hosting webservers must either be "non-existent, incorrectly applied, or permissioned the user across multiple virtual sites (i.e. incorrectly applied)".

Microsoft is expected to publish a press release with indications that concerned users and hosting services should delete the file DVWSSR.DLL from system(s).

According to NTBugTraq's Russ Cooper, the vulnerability is present when "permissions for the hosting webservers must either be non-existent, incorrectly applied, or permissioned the user across multiple virtual sites (i.e. incorrectly applied)".

For additional news information about this vulnerability, see ZDNet News link.

Within the file DVWSSR.DLL, there is a text string which appears as "!seineew era sreenigne e pacsteN" which in reverse actually is "Netscape engineers are weenies!".

This appears to be a static string which is used to communicate with the requesting .DLL, part of the client installation for Visual Interdev. Another .DLL installed at the client named MTD2LV.DLL located in this folder

\Program Files\Common Files\Microsoft
Shared\MSDesigners98
also contains the string.