Bugtraq mailing list archives
Re: Microsoft Security Bulletin (MS00-078)
From: Microsoft Security Response Center <secure () MICROSOFT COM>
Date: Fri, 20 Oct 2000 18:39:02 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hi All -
This is expected behavior, although it requires some explanation.
Security Bulletin MS00-030 ("Malformed Extension Data in URL")
provided a patch that changes how certain URLs are handled. One of
the changes is that after applying the patch, directory names can't
include an extension that's normally associated with an executable
file type. So, for instance, http://localhost/test.com/index.htm
would be treated as invalid, while
http://localhost/test.aaa/index.htm would be treated as valid. We
did discuss this in the original version of MS00-030, but today we
updated it to make it more clear. (See "What Does This Patch Do?" in
the FAQ)
The next question is why applying the patch for MS00-078 caused the
behavior from MS00-030 to occur. The reason is that both of the
patches shipped their new functinality via W3SVC.DLL. Whenever we
issue a patch, the fix is incorporated into the official code tree.
Future patches are always built using the then-current code tree.
This means that, when we issued MS00-030, the new URL handling became
part of the code tree for W3SVC.DLL. When we issued the patch for
MS00-078, it contained a fix for its vulnerability, built atop the
current code tree, which already included the functionality for
MS00-030. (BTW, to be 100% accurate, there actually isn't a new
patch for MS00-078 -- the bulletin points to the patch delivered in
MS00-057. I glossed over this detail because the description was
complicated enough already).
One last point. This does *not* mean that all security patches are
cumulative. MS00-030 and MS00-078 shared behavior only because they
both shipped W3SVC.DLL. If, for example, MS00-078 had included
XYZ.DLL rather than W3SVC.DLL, the behavior from MS00-030 would not
have been included in it.
Hope that helps clear up the mystery. Regards,
Scott Culp
Security Program Manager
Microsoft Security Response Center
- -----Original Message-----
From: Luiz Lima [mailto:llima () IMAGELINK COM BR]
Sent: Wednesday, October 18, 2000 7:58 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: En: Microsoft Security Bulletin (MS00-078)
UPDATE: Renato Henriques (grandmaster () imagelink com br), a co-worker
of
mine, has come with an idea that allowed us to better understand the
problem.
We first discovered it because we host some test folders for clients
under
our own domain "/theirdomain.com" and that was when we first saw the
problem
and didn't realize we were keeping the ".com" pattern while testing.
It happens that the problem is to load content from folders that look
like
executables. So, http://localhost/test.com/index.htm or
http://localhost/test.exe/index.htm will fail while
http://localhost/test.aaa/index.htm will succeed as they all should.
It's still a bug, as far as we are concerned, but it's a different
one than
what we previously thought.
- ---
Luiz Lima
Image Link Internet
http://www.imagelink.com.br
- -----Mensagem Original-----
De: "Luiz Lima" <llima () imagelink com br>
Para: <BUGTRAQ () SECURITYFOCUS COM>
Enviada em: Quarta-feira, 18 de Outubro de 2000 12:13
Assunto: Re: Microsoft Security Bulletin (MS00-078)
Ok... So I've applied the patch to my English version NT Server 4.0 SP6a. Now it seems that I can't access directories with dots on their names. To make it happen, simply create a folder named test.com on your web
folder.
If you try to access it (http://localhost/test.com) the server returns "listing not allowed". Well, that was expected. Now, create a simple index.htm or index.asp and out it inside there and try again: 404 - Not found. It also seems not to be related to the default document loading because if you create a bogus.htm file and try to get it (http://localhost/test.com/bogus.htm) it won't come either. A "not found" error is all you'll get. I've tried on three different servers (with ver simillar configuration, however) and they all behaved the same way. Anybody with this behavior? --- Luiz Lima Image Link Internet http://www.imagelink.com.br
-----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOfDzio0ZSRQxA/UrAQESLQgAiRrEq7O6jCDw7iiXPAM9utjTUBPyiz03 gXuQbbC8chvXrg42NbaE7c+6XTu0FxWD1WvLlUt+ZlsMS+/NS9wC/P+b2e3Xw7EY 9eRt/3gYXp2yL9DHxu7MibK6Btgog1MVJuajDb3UQvinIR/qKuBY3XOcbXcceyI5 oMCMk9pblOWMP5k1FGDtPjCO+WyV21RRPohbszDUnXvk/SN3CtHTDDwSQYn69Euq XygWMYRE3K/SNI9cs6lazzYIjO8mzWbE/SUwwhex1JosmsYDqTROBz36tG7qrfNC kZ1zX/T50tlB9ed1BoIRT7zRsimwrXyDPVKjid6KRU4tEmf5DdWHTQ== =Nsn6 -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description:
Current thread:
- Microsoft Security Bulletin (MS00-078) Microsoft Product Security (Oct 17)
- Re: Microsoft Security Bulletin (MS00-078) Luiz Lima (Oct 19)
- <Possible follow-ups>
- Re: Microsoft Security Bulletin (MS00-078) Microsoft Security Response Center (Oct 24)
- Re: Microsoft Security Bulletin (MS00-078) Luiz Lima (Oct 24)