[2310] in WWW Security List Archive
Re: Microsoft IIS vv. 1.x, 2.0b New Security Bugs Alert.
daemon@ATHENA.MIT.EDU (Gary Meltzer)
Wed Jul 3 20:34:32 1996
From: garym@softshore.com.au (Gary Meltzer)
To: www-security@ns2.rutgers.edu
Cc: baron@box.omna.com (. Andy Baron)
Date: Wed, 03 Jul 1996 20:09:49 GMT
In-Reply-To: <2.2.32.19960702231339.00777710@box.omna.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 02 Jul 1996 19:13:39 -0400, you wrote:
> Sorry, the exit at the end of the BAT can not be considered as a good protection since bugs #2 and #3: anyone can create new BAT file in your /cgi-bin directory without "exit" at the end.
Yes. It only protects against some of the newly expanded set of known Aggressive Resource Locaters (ARLs).
>At 06:06 PM 7/1/96 GMT, you wrote:
>>>...
>>> http://www.omna.com/msiis/
>>>...
>>
>>You seem to have forgotten to publish one of the work-arounds:
>>
>> Put EXIT at the end of your batch files!
>>
>>And check out http://www.softshore.com.au/cgi-bin/PEARL.BAT?
N.B. PEARL.BAT (v0.02 alpha) expands the set of ARLs avoided, warns the browser of this,
and reports some centrally - but does not avoid enough of the now known ARLs to be
sufficient protection for an easily misconfigured NT web server.
It is being updated ...
- G.
