[21033] in bugtraq
Re: personal web server directory traversal vulnerability patch
daemon@ATHENA.MIT.EDU (Gary Flynn)
Fri Jun 15 12:40:29 2001
Message-ID: <3B292632.BAD8B524@jmu.edu>
Date: Thu, 14 Jun 2001 17:01:38 -0400
From: Gary Flynn <flynngn@jmu.edu>
MIME-Version: 1.0
To: David Raitzer <david_raitzer@hotmail.com>
Cc: bugtraq@securityfocus.com
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msDDB17C4BBDA956CEDADE8CE1"
--------------msDDB17C4BBDA956CEDADE8CE1
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
David Raitzer wrote:
>
> I assembled an effective patch for the UNICODE directory traversal
> vulnerability issue in Microsoft Personal Web Server 4.0 for Windows 95/98,
> which was noted previously on this list. It can be downloaded at:
> http://www.geocities.com/p_w_server/pws_patch/index.htm
David,
I was spending my morning trying to decide how to address this issue
and saw your email. Talk about timing. :)
Being responsible (paranoid?), I wanted to verify the patch files
against the Microsoft equivalents. I had assumed that you mixed and
matched existing Microsoft dlls and exes from the various patches and
created your own installer.
I unpackaged the -010 and -078 patches and tried to do file compares.
Many of the .DLL files in your package didn't match files in either
Microsoft package.
I also couldn't find some of the version numbers included in your package
on the Microsoft DLL Help database.
Anyway, I was curious where these files came from. Did you use a binary
editor to patch them or recreate them from scratch somehow? Or am I just
looking in the wrong places?
thanks,
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
--------------msDDB17C4BBDA956CEDADE8CE1
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIIH1gYJKoZIhvcNAQcCoIIHxzCCB8MCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
BakwggJ4MIIB4aADAgECAgME2oIwDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlpBMRUw
EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhh
d3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwg
RnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMTA1MjExNTA3MDJaFw0wMjA1MjExNTA3MDJa
MEExHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxHjAcBgkqhkiG9w0BCQEWD2Zs
eW5uZ25Aam11LmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuNo+haFae1lRaIal
Yg0cDfqejNJVoYxwVfbmFbR2WNKnQ7q7Zs86ff3nxENJc/gqR0Yu7dlB5Vx5s39B/71wnpwZ
U7wph5yPlci6bni2ORO33LUuak2B6hk2etqP0t0N5Q+zKdOtSBvwYFe7lD8zjzR/Il1Bh6t9
ogOkSsrIB+MCAwEAAaMsMCowGgYDVR0RBBMwEYEPZmx5bm5nbkBqbXUuZWR1MAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAoee+EhtsG8kvQzn0Cbs1xjvODgW65VWrXyuVNhqy
dvR3sWKjESTDyKyZOBQ1xfzdRRWSJwWIPKueQQJzM89ytHvVmXWIAhOw1kAE8pZbO4aKxlTM
HnQ2KEJaZgEjBe1rmTS+aQMExTCM4BcF6R1MvmhOidscHuFMH/HKBcLfT2gwggMpMIICkqAD
AgECAgEMMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy
biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5n
MSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZy
ZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDAwODMwMDAwMDAwWhcNMDIwODI5MjM1OTU5WjCBkjEL
MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD
VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDeMzKmY8cJJUU+0m54J2eBxdqIGYKXDuNEKYpjNSptcDz63K737nRvMLwz
kH/5NHGgo22Y8cNPomXbDfpL8dbdYaX5hc1VmjUanZJ1qCeu2HL5ugL217CR3hzpq+AYA6h8
Q0JQUYeDPPA5tJtUihOH/7ObnUlmAC0JieyUa+mhaQIDAQABo04wTDApBgNVHREEIjAgpB4w
HDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMS0yOTcwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV
HQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAcxtvJmWL/xU0S1liiu1EvknH6A27j7kNaiYq
YoQfuIdjdBxtt88aU5FL4c3mONntUPQ6bDSSrOaSnG7BIwHCCafvS65y3QZn9VBvLli4tgvB
UFe17BzX7xe21Yibt6KIGu05Wzl9NPy2lhglTWr0ncXDkS+plrgFPFL83eliA0gxggH1MIIB
8QIBATCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UE
BxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNl
cnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgME2oIw
CQYFKw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP
Fw0wMTA2MTQyMTAxNDBaMCMGCSqGSIb3DQEJBDEWBBTu7CCE1ZxILHUOg/U9gC7SjXKyDTBS
BgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUrDgMCBzAN
BggqhkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgGC+RxOwIcj3
D3q5mCrgUkblxSJn/u3NxakOgSNxbJopCuDt3FXdwdNqd9H3S9LweUDRNmS8YXUOwOkRCzei
LQ8i7S3Qnw0ayahjDyOOufqzLEvODIGFOZIue3ZF5mnIvqLbNeR2Nuk9Cc11TXBGCLDEJ188
EgZUWfaeqlOc7l9W
--------------msDDB17C4BBDA956CEDADE8CE1--
