[3031] in bugtraq
Microsoft IIS '..' Problem
daemon@ATHENA.MIT.EDU (Thomas Lopatic)
Fri Jul 26 15:20:28 1996
Date: Fri, 26 Jul 1996 20:41:13 +0200
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Thomas Lopatic <lopatic@dbs.informatik.uni-muenchen.de>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <2.2.32.19960726175027.0070fd14@lintjr.cisco.com> from "Matthew
G. Harrigan" at Jul 26, 96 10:50:27 am
> > and there is another
> >'..' error in their Internet Information Server. Anyone offering more?
>
> I have yet to see this error in IIS. Where and how does it exist?
Sorry for not disclosing. I thought I had seen that one on bugtraq. Suppose
there is a document 'http://dummy.com/Public/Index.htm' and 'Index.html' is
'C:\inetsrv\wwwroot\Public\Index.htm'. Then try getting
'http://dummy.com/Public/../../../autoexec.bat' which will give you
'C:\autoexec.bat'. It seems, however, that the first directory ('Public')
will be necessary, i. e. 'http://dummy.com/../../autoexec.bat' won't
work.
But now back to the Unix things.
-Thomas
--
Thomas Lopatic lopatic@informatik.uni-muenchen.de
