Re: MS Personal Web Server

[rkuhljr () PUERIDOMUS BR (Rubens Kuhl Jr.)]

What version of MS PWS does this apply to ?

NT Option Pack includes IIS 4.0 for NT Server, PWS 4.0 for NT Workstation
and PWS 4.0 for Windows 95, and I would think (although I haven't tested to
be sure) that this doesn't affect PWS 4.0/Win95.



Rubens Kuhl Jr.


> -----Original Message-----
> From: Lynn Kyle [SMTP:lynn () RAINC COM]
> Sent: Sunday, March 22, 1998 2:15 PM
> To:   BUGTRAQ () NETSPACE ORG
> Subject:      MS Personal Web Server
>
> Has this been reported?
>
> The MS Personal Web Server (tried on the win95, not NT) suffers
> from the old IIS 3.0 unpatched bug of allowing you to download
> asp files by using a trailing ".".
>
> e.g.,
>
> telnet victim 80
> GET /default.asp. HTTP/1.0
>
> will give you the contents of the asp not the result.
> oops for any of you embedding a db login/pass in the asp.
>
> Mike