Bugtraq mailing list archives
En: Microsoft Security Bulletin (MS00-078)
From: Luiz Lima <llima () IMAGELINK COM BR>
Date: Wed, 18 Oct 2000 12:58:01 -0200
UPDATE: Renato Henriques (grandmaster () imagelink com br), a co-worker of mine, has come with an idea that allowed us to better understand the problem. We first discovered it because we host some test folders for clients under our own domain "/theirdomain.com" and that was when we first saw the problem and didn't realize we were keeping the ".com" pattern while testing. It happens that the problem is to load content from folders that look like executables. So, http://localhost/test.com/index.htm or http://localhost/test.exe/index.htm will fail while http://localhost/test.aaa/index.htm will succeed as they all should. It's still a bug, as far as we are concerned, but it's a different one than what we previously thought. --- Luiz Lima Image Link Internet http://www.imagelink.com.br -----Mensagem Original----- De: "Luiz Lima" <llima () imagelink com br> Para: <BUGTRAQ () SECURITYFOCUS COM> Enviada em: Quarta-feira, 18 de Outubro de 2000 12:13 Assunto: Re: Microsoft Security Bulletin (MS00-078)
Ok... So I've applied the patch to my English version NT Server 4.0 SP6a. Now it seems that I can't access directories with dots on their names. To make it happen, simply create a folder named test.com on your web
folder.
If you try to access it (http://localhost/test.com) the server returns "listing not allowed". Well, that was expected. Now, create a simple index.htm or index.asp and out it inside there and try again: 404 - Not found. It also seems not to be related to the default document loading because if you create a bogus.htm file and try to get it (http://localhost/test.com/bogus.htm) it won't come either. A "not found" error is all you'll get. I've tried on three different servers (with ver simillar configuration, however) and they all behaved the same way. Anybody with this behavior? --- Luiz Lima Image Link Internet http://www.imagelink.com.br
Current thread:
- En: Microsoft Security Bulletin (MS00-078) Luiz Lima (Oct 19)