[21078] in bugtraq
Re: personal web server directory traversal vulnerability patch
daemon@ATHENA.MIT.EDU (Gary Flynn)
Mon Jun 18 19:56:57 2001
Date: Sun, 17 Jun 2001 01:03:19 +0200
From: Gary Flynn <flynngn@jmu.edu>
To: - - <crayo@linux.local>
Cc: bugtraq@securityfocus.com
Message-ID: <20010617010319.O1090@linux.local>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
David Raitzer wrote:
>
> I assembled an effective patch for the UNICODE directory traversal
> vulnerability issue in Microsoft Personal Web Server 4.0 for Windows 95/98,
> which was noted previously on this list. It can be downloaded at:
> http://www.geocities.com/p_w_server/pws_patch/index.htm
David,
I was spending my morning trying to decide how to address this issue
and saw your email. Talk about timing. :)
Being responsible (paranoid?), I wanted to verify the patch files
against the Microsoft equivalents. I had assumed that you mixed and
matched existing Microsoft dlls and exes from the various patches and
created your own installer.
I unpackaged the -010 and -078 patches and tried to do file compares.
Many of the .DLL files in your package didn't match files in either
Microsoft package.
I also couldn't find some of the version numbers included in your package
on the Microsoft DLL Help database.
Anyway, I was curious where these files came from. Did you use a binary
editor to patch them or recreate them from scratch somehow? Or am I just
looking in the wrong places?
thanks,
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
----- End forwarded message -----
