[19717] in bugtraq
Re: Microsoft - Personal Web Server Extended UNICODE Directory
daemon@ATHENA.MIT.EDU (Microsoft Security Response Center)
Tue Mar 20 11:41:46 2001
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <C10F7F33B880B248BCC47DB446738847023FF200@red-msg-07.redmond.corp.microsoft.com>
Date: Mon, 19 Mar 2001 12:17:37 -0800
Reply-To: Microsoft Security Response Center <secure@MICROSOFT.COM>
From: Microsoft Security Response Center <secure@MICROSOFT.COM>
X-To: Dinos Pastos <dinopio@LINUX.COM.CY>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Hi All -
Personal Web Server is, of course, not intended to host web sites on the
Internet. It's only intended to be used in protected environments such
as home networks and the like. If you're hosting an Internet site, IIS
is the appropriate product to use. Regards,
Scott Culp
Security Program Manager
Microsoft Security Response Center
-----Original Message-----
From: Dinos Pastos [mailto:dinopio@LINUX.COM.CY]
Sent: Sunday, March 18, 2001 2:16 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Microsoft - Personal Web Server Extended UNICODE Directory
Traversal Vulnerability
Hi all...
Just wanted to point out that while testing my Default installation of
Windows 98 running Microsoft Personal Web Server that came with the
Windows98 SE CD I discovered that the famous IIS 4/5 Unicode Directory
Traversal Vulnerability applies also to this Server just as bad as in
IIS.
The exploit method is the same :
http://PWS-server/scripts/..%c1%9c../windows/notepad.exe
I wont go in to detail on how to exploit a Windows machine... (Sorry
script kiddies)...
Patches: Dunno.
Quickfixes: Use Linux.
Dinos Pastos - dinopio@linux.com.cy
Security Advisor
