[17301] in bugtraq
Re: Microsoft Security Bulletin (MS00-078)
daemon@ATHENA.MIT.EDU (Microsoft Security Response Center)
Mon Oct 23 14:03:15 2000
Mime-Version: 1.0
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=SHA1;
boundary="----=_NextPart_000_015F_01C03AC5.03DA9980";
protocol="application/x-pkcs7-signature"
Message-Id: <C10F7F33B880B248BCC47DB446738847758432@red-msg-07.redmond.corp.microsoft.com>
Date: Fri, 20 Oct 2000 18:39:02 -0700
Reply-To: Microsoft Security Response Center <secure@MICROSOFT.COM>
From: Microsoft Security Response Center <secure@MICROSOFT.COM>
X-To: Luiz Lima <llima@IMAGELINK.COM.BR>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_015F_01C03AC5.03DA9980
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hi All -
This is expected behavior, although it requires some explanation.
Security Bulletin MS00-030 ("Malformed Extension Data in URL")
provided a patch that changes how certain URLs are handled. One of
the changes is that after applying the patch, directory names can't
include an extension that's normally associated with an executable
file type. So, for instance, http://localhost/test.com/index.htm
would be treated as invalid, while
http://localhost/test.aaa/index.htm would be treated as valid. We
did discuss this in the original version of MS00-030, but today we
updated it to make it more clear. (See "What Does This Patch Do?" in
the FAQ)
The next question is why applying the patch for MS00-078 caused the
behavior from MS00-030 to occur. The reason is that both of the
patches shipped their new functinality via W3SVC.DLL. Whenever we
issue a patch, the fix is incorporated into the official code tree.
Future patches are always built using the then-current code tree.
This means that, when we issued MS00-030, the new URL handling became
part of the code tree for W3SVC.DLL. When we issued the patch for
MS00-078, it contained a fix for its vulnerability, built atop the
current code tree, which already included the functionality for
MS00-030. (BTW, to be 100% accurate, there actually isn't a new
patch for MS00-078 -- the bulletin points to the patch delivered in
MS00-057. I glossed over this detail because the description was
complicated enough already).
One last point. This does *not* mean that all security patches are
cumulative. MS00-030 and MS00-078 shared behavior only because they
both shipped W3SVC.DLL. If, for example, MS00-078 had included
XYZ.DLL rather than W3SVC.DLL, the behavior from MS00-030 would not
have been included in it.
Hope that helps clear up the mystery. Regards,
Scott Culp
Security Program Manager
Microsoft Security Response Center
- -----Original Message-----
From: Luiz Lima [mailto:llima@IMAGELINK.COM.BR]
Sent: Wednesday, October 18, 2000 7:58 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: En: Microsoft Security Bulletin (MS00-078)
UPDATE: Renato Henriques (grandmaster@imagelink.com.br), a co-worker
of
mine, has come with an idea that allowed us to better understand the
problem.
We first discovered it because we host some test folders for clients
under
our own domain "/theirdomain.com" and that was when we first saw the
problem
and didn't realize we were keeping the ".com" pattern while testing.
It happens that the problem is to load content from folders that look
like
executables. So, http://localhost/test.com/index.htm or
http://localhost/test.exe/index.htm will fail while
http://localhost/test.aaa/index.htm will succeed as they all should.
It's still a bug, as far as we are concerned, but it's a different
one than
what we previously thought.
- ---
Luiz Lima
Image Link Internet
http://www.imagelink.com.br
- -----Mensagem Original-----
De: "Luiz Lima" <llima@imagelink.com.br>
Para: <BUGTRAQ@SECURITYFOCUS.COM>
Enviada em: Quarta-feira, 18 de Outubro de 2000 12:13
Assunto: Re: Microsoft Security Bulletin (MS00-078)
> Ok... So I've applied the patch to my English version NT Server 4.0
> SP6a. Now it seems that I can't access directories with dots on
> their names.
>
> To make it happen, simply create a folder named test.com on your
> web
folder.
> If you try to access it (http://localhost/test.com) the server
> returns "listing not allowed". Well, that was expected. Now, create
> a simple index.htm or index.asp and out it inside there and try
> again: 404 - Not found.
>
> It also seems not to be related to the default document loading
> because if you create a bogus.htm file and try to get it
> (http://localhost/test.com/bogus.htm) it won't come either. A "not
> found" error is all you'll get.
>
> I've tried on three different servers (with ver simillar
> configuration, however) and they all behaved the same way.
>
> Anybody with this behavior?
>
> ---
> Luiz Lima
> Image Link Internet
> http://www.imagelink.com.br
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOfDzio0ZSRQxA/UrAQESLQgAiRrEq7O6jCDw7iiXPAM9utjTUBPyiz03
gXuQbbC8chvXrg42NbaE7c+6XTu0FxWD1WvLlUt+ZlsMS+/NS9wC/P+b2e3Xw7EY
9eRt/3gYXp2yL9DHxu7MibK6Btgog1MVJuajDb3UQvinIR/qKuBY3XOcbXcceyI5
oMCMk9pblOWMP5k1FGDtPjCO+WyV21RRPohbszDUnXvk/SN3CtHTDDwSQYn69Euq
XygWMYRE3K/SNI9cs6lazzYIjO8mzWbE/SUwwhex1JosmsYDqTROBz36tG7qrfNC
kZ1zX/T50tlB9ed1BoIRT7zRsimwrXyDPVKjid6KRU4tEmf5DdWHTQ==
=Nsn6
-----END PGP SIGNATURE-----
------=_NextPart_000_015F_01C03AC5.03DA9980
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKNTCCAj0w
ggGmAhEAzbp/VvDf5LxU/iKss3KqVTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUG
A1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNMjgwODAxMjM1OTU5WjBfMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVi
bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiH
mgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF
4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEATD+4i8Zo3+5DMw5d
6abLB4RNejP/khv0Nq3YlSI2aBFsfELM85wuxAc/FLAPT/+Qknb54rxK6Y/NoIAK98Up8YIiXbix
3YEjo3slFUYweRb46gVLlH8dwhzI47f0EEA8E8NfH1PoSOSGtHuhNbB7Jbq4046rPzidADQAmPPR
cZQwggNmMIICz6ADAgECAhANi0/uqtIYW/R1ap0p4X/7MA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNV
BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMg
UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05ODA1MTIwMDAwMDBaFw0wODA1MTIy
MzU5NTlaMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1
c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNv
cnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJ
bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DUqyb5xUv7zodyqdufBou5XZMUFweoFL
uUgTVi3HCOGEQqvAopKrRFyqQvCCDgLpL/vCO7u+yScKXbawNkIztW5UiE+HSr8Z2vkV6A+Hthzj
zMaajn9qJJLj/OBluqexfu/J2zdqyErICQbkmQIDAQABo4G0MIGxMBEGCWCGSAGG+EIBAQQEAwIB
BjA1BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9wY2ExLjEuMS5jcmww
RwYDVR0gBEAwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUFBwIBFh93d3cudmVyaXNpZ24uY29t
L3JlcG9zaXRvcnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB
AgUAA4GBAEJ8Dt+MeUysvwjsTVUvUImgxV5OLl6VMpt5rWURCxxKUsTVqDEhjt4Qm2wIxQfmA7nn
yDR4CQnyvAZC+FqMg9GK3qoi9dnjIdLPZYwGM7DNILIzzQq9PuGdwTWpZLCnpSRb6fFo6xPEfDf0
lGQNmsW9MxfvgzOgPuWqPq7Ycx+tMIIEhjCCA++gAwIBAgIQBVujtlw0K6W7MlJ1/6zgIjANBgkq
hkiG9w0BAQQFADCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWdu
IFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEg
SW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEg
Q0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDAeFw05OTEyMzAw
MDAwMDBaFw0wMDEyMjkyMzU5NTlaMIIBKjEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV
BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVw
b3NpdG9yeS9SUEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNv
bmEgTm90IFZhbGlkYXRlZDE0MDIGA1UECxMrRGlnaXRhbCBJRCBDbGFzcyAxIC0gTWljcm9zb2Z0
IEZ1bGwgU2VydmljZTErMCkGA1UEAxQiTWljcm9zb2Z0IFNlY3VyaXR5IFJlc3BvbnNlIENlbnRl
cjEjMCEGCSqGSIb3DQEJARYUc2VjdXJlQG1pY3Jvc29mdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBALmnytCmO48UVl/4ou0RKLf3WT/yg7DrM4g7Hqh1QwV+6V/RyVKa8qfy5tx855H/
ifS5MaG8Gcw7TM/+DrEqgPAUjNj/kM1jZWZnvAsjGm9/AOMFNIB3Dne3rSsnOzw+YHboWBsnr0Fj
6uexHfGD4dSiT4Ei9hLoZMdTObBB2icRAgMBAAGjggEGMIIBAjAJBgNVHRMEAjAAMIGsBgNVHSAE
gaQwgaEwgZ4GC2CGSAGG+EUBBwEBMIGOMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2ln
bi5jb20vQ1BTMGIGCCsGAQUFBwICMFYwFRYOVmVyaVNpZ24sIEluYy4wAwIBARo9VmVyaVNpZ24n
cyBDUFMgaW5jb3JwLiBieSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5NyBWZXJpU2lnbjARBglg
hkgBhvhCAQEEBAMCB4AwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC52ZXJpc2lnbi5jb20v
Y2xhc3MxLmNybDANBgkqhkiG9w0BAQQFAAOBgQA5n5AyLxILokAbiP2F1k9tm0c8+wnSjyDuDbI3
ogEZxCSK7FK24f5B9i/U/r+jXi6feCTUIQWY2+PZr153UCHutuEz6N2GxLjN1m8h69TsBDN9jpkU
1+Lp95CWx5eC8oPSRIi+HLD2xS7i++6Bg3jC2JglEUcMJQqbgvb4KzalezGCA1YwggNSAgEBMIHh
MIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0
d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5
IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlk
dWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhAFW6O2XDQrpbsyUnX/rOAiMAkG
BSsOAwIaBQCgggHKMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAw
MTAyMTAxMzkwMVowIwYJKoZIhvcNAQkEMRYEFCUc5DF1g7jSk9xx1i/3WD/ic3s6MHYGCSqGSIb3
DQEJDzFpMGcwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsOAwIHMAcGBSsOAwIHMA0G
CCqGSIb3DQMCAgEoMAcGBSsOAwIaMAcGBSsOAwIaMAoGCCqGSIb3DQIFMAoGCCqGSIb3DQIFMIHy
BgkrBgEEAYI3EAQxgeQwgeEwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRv
cnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBD
bGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCEAVb
o7ZcNCuluzJSdf+s4CIwDQYJKoZIhvcNAQEBBQAEgYCB42pNqN1zXeYYZlrtw8deJ8hZyWT0nyJN
P8+ha5rBWALGc8gu4JGLuhVI3wBLW8qXrzNdA/YclKKVFNUFlNMfOabarlZUmZfeoL68uaXuyFwi
bTE0VPmDyXk/+eQbIuxwilTQLEb6dTJbICPBmgDpMiq8hQPAqGiEhD0GP0bCVAAAAAAAAA==
------=_NextPart_000_015F_01C03AC5.03DA9980--
