Bugtraq mailing list archives
Re: Microsoft Security Bulletin (MS00-078)
From: Microsoft Security Response Center <secure () MICROSOFT COM>
Date: Fri, 20 Oct 2000 18:39:02 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hi All - This is expected behavior, although it requires some explanation. Security Bulletin MS00-030 ("Malformed Extension Data in URL") provided a patch that changes how certain URLs are handled. One of the changes is that after applying the patch, directory names can't include an extension that's normally associated with an executable file type. So, for instance, http://localhost/test.com/index.htm would be treated as invalid, while http://localhost/test.aaa/index.htm would be treated as valid. We did discuss this in the original version of MS00-030, but today we updated it to make it more clear. (See "What Does This Patch Do?" in the FAQ) The next question is why applying the patch for MS00-078 caused the behavior from MS00-030 to occur. The reason is that both of the patches shipped their new functinality via W3SVC.DLL. Whenever we issue a patch, the fix is incorporated into the official code tree. Future patches are always built using the then-current code tree. This means that, when we issued MS00-030, the new URL handling became part of the code tree for W3SVC.DLL. When we issued the patch for MS00-078, it contained a fix for its vulnerability, built atop the current code tree, which already included the functionality for MS00-030. (BTW, to be 100% accurate, there actually isn't a new patch for MS00-078 -- the bulletin points to the patch delivered in MS00-057. I glossed over this detail because the description was complicated enough already). One last point. This does *not* mean that all security patches are cumulative. MS00-030 and MS00-078 shared behavior only because they both shipped W3SVC.DLL. If, for example, MS00-078 had included XYZ.DLL rather than W3SVC.DLL, the behavior from MS00-030 would not have been included in it. Hope that helps clear up the mystery. Regards, Scott Culp Security Program Manager Microsoft Security Response Center - -----Original Message----- From: Luiz Lima [mailto:llima () IMAGELINK COM BR] Sent: Wednesday, October 18, 2000 7:58 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: En: Microsoft Security Bulletin (MS00-078) UPDATE: Renato Henriques (grandmaster () imagelink com br), a co-worker of mine, has come with an idea that allowed us to better understand the problem. We first discovered it because we host some test folders for clients under our own domain "/theirdomain.com" and that was when we first saw the problem and didn't realize we were keeping the ".com" pattern while testing. It happens that the problem is to load content from folders that look like executables. So, http://localhost/test.com/index.htm or http://localhost/test.exe/index.htm will fail while http://localhost/test.aaa/index.htm will succeed as they all should. It's still a bug, as far as we are concerned, but it's a different one than what we previously thought. - --- Luiz Lima Image Link Internet http://www.imagelink.com.br - -----Mensagem Original----- De: "Luiz Lima" <llima () imagelink com br> Para: <BUGTRAQ () SECURITYFOCUS COM> Enviada em: Quarta-feira, 18 de Outubro de 2000 12:13 Assunto: Re: Microsoft Security Bulletin (MS00-078)
Ok... So I've applied the patch to my English version NT Server 4.0 SP6a. Now it seems that I can't access directories with dots on their names. To make it happen, simply create a folder named test.com on your web
folder.
If you try to access it (http://localhost/test.com) the server returns "listing not allowed". Well, that was expected. Now, create a simple index.htm or index.asp and out it inside there and try again: 404 - Not found. It also seems not to be related to the default document loading because if you create a bogus.htm file and try to get it (http://localhost/test.com/bogus.htm) it won't come either. A "not found" error is all you'll get. I've tried on three different servers (with ver simillar configuration, however) and they all behaved the same way. Anybody with this behavior? --- Luiz Lima Image Link Internet http://www.imagelink.com.br
-----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOfDzio0ZSRQxA/UrAQESLQgAiRrEq7O6jCDw7iiXPAM9utjTUBPyiz03 gXuQbbC8chvXrg42NbaE7c+6XTu0FxWD1WvLlUt+ZlsMS+/NS9wC/P+b2e3Xw7EY 9eRt/3gYXp2yL9DHxu7MibK6Btgog1MVJuajDb3UQvinIR/qKuBY3XOcbXcceyI5 oMCMk9pblOWMP5k1FGDtPjCO+WyV21RRPohbszDUnXvk/SN3CtHTDDwSQYn69Euq XygWMYRE3K/SNI9cs6lazzYIjO8mzWbE/SUwwhex1JosmsYDqTROBz36tG7qrfNC kZ1zX/T50tlB9ed1BoIRT7zRsimwrXyDPVKjid6KRU4tEmf5DdWHTQ== =Nsn6 -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description:
Current thread:
- Microsoft Security Bulletin (MS00-078) Microsoft Product Security (Oct 17)
- Re: Microsoft Security Bulletin (MS00-078) Luiz Lima (Oct 19)
- <Possible follow-ups>
- Re: Microsoft Security Bulletin (MS00-078) Microsoft Security Response Center (Oct 24)
- Re: Microsoft Security Bulletin (MS00-078) Luiz Lima (Oct 24)