Fwd: Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability

[Zack Link <zlink () SLB COM>]

> Hi All -
>
> Personal Web Server is, of course, not intended to host web sites on the
> Internet.  It's only intended to be used in protected environments such
> as home networks and the like.  If you're hosting an Internet site, IIS
> is the appropriate product to use.  Regards,
>
> Scott Culp
> Security Program Manager
> Microsoft Security Response Center

Interesting, because your web site says specifically that both Personal Web
Server and Peer Web Services CAN be used for Internet-accessible web sites.

Take a
look...
http://msdn.microsoft.com/library/officedev/office97/settinguppersonalwebserver.htm

Regards,

Zack Link





> -----Original Message-----
> From: Dinos Pastos [mailto:dinopio () LINUX COM CY]
> Sent: Sunday, March 18, 2001 2:16 AM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Microsoft - Personal Web Server Extended UNICODE Directory
> Traversal Vulnerability
>
>
> Hi all...
>
> Just wanted to point out that while testing my Default installation of
> Windows 98 running Microsoft Personal Web Server that came with the
> Windows98 SE CD I discovered that the famous IIS 4/5 Unicode Directory
> Traversal Vulnerability applies also to this Server just as bad as in
> IIS.
>
> The exploit method is the same :
> http://PWS-server/scripts/..%c1%9c../windows/notepad.exe
>
> I wont go in to detail on how to exploit a Windows machine... (Sorry
> script kiddies)...
>
> Patches: Dunno.
> Quickfixes: Use Linux.
>
> Dinos Pastos - dinopio () linux com cy
> Security Advisor