[19756] in bugtraq
Fwd: Re: Microsoft - Personal Web Server Extended UNICODE
daemon@ATHENA.MIT.EDU (Zack Link)
Wed Mar 21 17:09:18 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-ID: <5.0.2.1.0.20010320125749.00a658e0@mail.norcross.rms.slb.com>
Date: Tue, 20 Mar 2001 13:01:17 -0500
Reply-To: Zack Link <zlink@SLB.COM>
From: Zack Link <zlink@SLB.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
>
>Hi All -
>
>Personal Web Server is, of course, not intended to host web sites on the
>Internet. It's only intended to be used in protected environments such
>as home networks and the like. If you're hosting an Internet site, IIS
>is the appropriate product to use. Regards,
>
>Scott Culp
>Security Program Manager
>Microsoft Security Response Center
>
Interesting, because your web site says specifically that both Personal Web
Server and Peer Web Services CAN be used for Internet-accessible web sites.
Take a
look...
http://msdn.microsoft.com/library/officedev/office97/settinguppersonalwebserver.htm
Regards,
Zack Link
>-----Original Message-----
>From: Dinos Pastos [mailto:dinopio@LINUX.COM.CY]
>Sent: Sunday, March 18, 2001 2:16 AM
>To: BUGTRAQ@SECURITYFOCUS.COM
>Subject: Microsoft - Personal Web Server Extended UNICODE Directory
>Traversal Vulnerability
>
>
>Hi all...
>
>Just wanted to point out that while testing my Default installation of
>Windows 98 running Microsoft Personal Web Server that came with the
>Windows98 SE CD I discovered that the famous IIS 4/5 Unicode Directory
>Traversal Vulnerability applies also to this Server just as bad as in
>IIS.
>
>The exploit method is the same :
>http://PWS-server/scripts/..%c1%9c../windows/notepad.exe
>
>I wont go in to detail on how to exploit a Windows machine... (Sorry
>script kiddies)...
>
>Patches: Dunno.
>Quickfixes: Use Linux.
>
>Dinos Pastos - dinopio@linux.com.cy
>Security Advisor
