Something to URGE for Windows NT/2000 administrators

[Daniel Docekal <ddoc () MIA CZ>]

Dears,

while this is not WindowsNT only related list, following relates to any of
us, because ignorancy of some webmasters running IIS (Internet Information
Server) 4.0/5.0 is somehow exceeding acceptable level.

During informal test done by our security team we have found that MOST of
tested IIS4/5 webs are vulnerable to NULL.HTW, +.HTR or Translate:f security
bugs - because of this, anybody can access source code of scripts, grab
passwords/names or locations to Access MDB files. In dozens of cases we were
able to download megabytes of databases containing anything from thousands
of e-mail adresses up to logon names with passwords (and as well known,
people are using the same password all over the Internet).

We have notified webmasters having such buggy webs, but surprisingly, some
of responses were lacking understanding and their webs are open even weeks
after we have discovered this.

I hereby want to URGE all Windows NT/2000 administrators to take seriously
security bugs leading to accessible ASP/ASA sources (including $DATA which
still plagues around 15% of tested webs).

Thank you
Daniel