Bugtraq mailing list archives
Fwd: Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability
From: Zack Link <zlink () SLB COM>
Date: Tue, 20 Mar 2001 13:01:17 -0500
Hi All - Personal Web Server is, of course, not intended to host web sites on the Internet. It's only intended to be used in protected environments such as home networks and the like. If you're hosting an Internet site, IIS is the appropriate product to use. Regards, Scott Culp Security Program Manager Microsoft Security Response Center
Interesting, because your web site says specifically that both Personal Web Server and Peer Web Services CAN be used for Internet-accessible web sites. Take a look... http://msdn.microsoft.com/library/officedev/office97/settinguppersonalwebserver.htm Regards, Zack Link
-----Original Message----- From: Dinos Pastos [mailto:dinopio () LINUX COM CY] Sent: Sunday, March 18, 2001 2:16 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability Hi all... Just wanted to point out that while testing my Default installation of Windows 98 running Microsoft Personal Web Server that came with the Windows98 SE CD I discovered that the famous IIS 4/5 Unicode Directory Traversal Vulnerability applies also to this Server just as bad as in IIS. The exploit method is the same : http://PWS-server/scripts/..%c1%9c../windows/notepad.exe I wont go in to detail on how to exploit a Windows machine... (Sorry script kiddies)... Patches: Dunno. Quickfixes: Use Linux. Dinos Pastos - dinopio () linux com cy Security Advisor
Current thread:
- Fwd: Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability Zack Link (Mar 21)