[9132] in bugtraq
Bug in IIS and PWS but only for Windows 9x. Re: Personal web
daemon@ATHENA.MIT.EDU (Victor Lavrenko)
Wed Jan 20 12:23:41 1999
Date: Wed, 20 Jan 1999 11:57:19 +0300
Reply-To: Victor Lavrenko <lavrenko@MCST.RU>
From: Victor Lavrenko <lavrenko@MCST.RU>
X-To: aleph1@UNDERGROUND.ORG
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990119102124.B3523@underground.org> (message from Aleph One on
Tue, 19 Jan 1999 10:21:24 -0800)
>>>>> "Aleph" == Aleph One <aleph1@UNDERGROUND.ORG> writes:
Hello everybody.
This bug exists because Windows 9x has a nice feature. When you
excecute "cd .." it goes to the parent directory, and "cd ..." goes to
the parent directory of parent directory etc. Windows NT has no such
feature so it isn't exploitable.
IIS 4.0 and PWS 3.0 exploitable while executed under Windows 9x only,
not Windows NT.
Aleph> No:
Aleph> Windows NT 4.0 SP3 ("kiborg" <contact@kiborg.net>) Windows
[skip]
Aleph> Windows 98 (Sean Coates scoates@usa.ne)
Sean checked box with PWS 2.0. Due to another bug in its core, it
seems that is not exploitable. PWS 3.0 doesn't have such bug so it is
exploitable.
Aleph> Yes:
Aleph> Windows 95 ("kiborg" <contact@kiborg.net>) Windows 98
[skip]
Aleph> it open.
PWS and IIS (they have the same core) check for ".." in URL, but don't
check for "...", "...." etc.
Summary:
1. IIS 4.0 and PWS 3.0 exploitable under Windows 9x.
2. IIS (any version) and PWS (any version) not exploitable under
Windows NT.
3. PWS 2.0 and (possibly) IIS 3.0 not exploitable under Windows 9x.
--
Victor Lavrenko
Homepage: http://www.lavrenko.pp.ru/
E-mail: lavrenko@mcst.ru lavrenko@cs.msu.su
Fingerprint: 35 D0 98 8D 96 E5 F4 BA 59 FB 9D 29 92 26 F5 59
