Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Wh00ps again! -- "Weenie" bug resurrected on Yahoo

From: InfoSec News <isn () c4i org>
Date: Tue, 15 May 2001 13:14:51 -0500 (CDT)
http://news.cnet.com/news/0-1003-200-5933518.html?tag=mn_hd

[It appears I reposted a news story as old as the six-pack of Molson's
Canadian I found in my garage, smuggled into the U.S. from my last
road trip to the Great White North back in early 2000. I will try not
to post any stories of the same vintage as the Point Beer Winter Bock
that I found also in the same corner of my garage.  Thanks to *ALL*
the readers that pointed this M$ advisory out to me.  :)  -=-  WK]


By Robert Lemos
Special to CNET News.com 
May 15, 2001, 10:00 a.m. PT 

More than a year after it was originally reported, the "Netscape
engineers are weenies!" security hole in Microsoft software made a
brief comeback Monday and Tuesday on Yahoo's Small Business portal.

A three-paragraph account on the bug--originally reported April 14,
2000--appeared without a date or byline on Yahoo's site, stating:
"Last Thursday, Microsoft admitted its engineers planted a secret
password in its software that could be used to gain illegitimate
access to hundreds of thousands of Internet sites worldwide."

Microsoft stressed that the report isn't new. "It's a year-old
problem," said a Microsoft representative. "We are trying to get
through to Yahoo to see what it's doing up there."

Several readers contacted CNET News.com Tuesday seeking further
information about the Yahoo report.

While originally reported as a "back door"--a secret password that
gives full access to another person's system--the "weenies" flaw is
actually an inadvertent bug in a dynamic link library, or DLL, file
known as "dvwssr.dll" that allows access to a Web site's active server
pages.

However, to access the pages, would-be intruders need to use a key to
encode Web page names. The key is "!seineew era sreenigne
epacsteN"--or "Netscape engineers are weenies!" spelled backwards--a
holdover from Microsoft's browser war with Netscape.

The file with the security flaw is provided by Microsoft to support
its Visual Interdev 1.0 application, an older, rarely used program
that helps Webmasters track broken links. Though few people use it,
the file is part of the default installation for Web servers using
Windows NT 4.0 and Microsoft's Internet Information Service 4.0
software as well as Microsoft's FrontPage 98 software and its Personal
Web Server 4.0.

Yahoo apparently removed the article around 9 a.m. PDT Tuesday, but a
Yahoo representative could not immediately explain the report.




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.
Previous By Date Next
Previous By Thread Next

Current thread: