En: Microsoft Security Bulletin (MS00-078)

[Luiz Lima <llima () IMAGELINK COM BR>]

UPDATE: Renato Henriques (grandmaster () imagelink com br), a co-worker of
mine, has come with an idea that allowed us to better understand the
problem.

We first discovered it because we host some test folders for clients under
our own domain "/theirdomain.com" and that was when we first saw the problem
and didn't realize we were keeping the ".com" pattern while testing.

It happens that the problem is to load content from folders that look like
executables. So, http://localhost/test.com/index.htm or
http://localhost/test.exe/index.htm will fail while
http://localhost/test.aaa/index.htm will succeed as they all should.

It's still a bug, as far as we are concerned, but it's a different one than
what we previously thought.

---
Luiz Lima
Image Link Internet
http://www.imagelink.com.br

-----Mensagem Original-----
De: "Luiz Lima" <llima () imagelink com br>
Para: <BUGTRAQ () SECURITYFOCUS COM>
Enviada em: Quarta-feira, 18 de Outubro de 2000 12:13
Assunto: Re: Microsoft Security Bulletin (MS00-078)


> Ok... So I've applied the patch to my English version NT Server 4.0 SP6a.
> Now it seems that I can't access directories with dots on their names.
>
> To make it happen, simply create a folder named test.com on your web
folder.
> If you try to access it (http://localhost/test.com) the server returns
> "listing not allowed". Well, that was expected. Now, create a simple
> index.htm or index.asp and out it inside there and try again: 404 - Not
> found.
>
> It also seems not to be related to the default document loading because if
> you create a bogus.htm file and try to get it
> (http://localhost/test.com/bogus.htm) it won't come either. A "not found"
> error is all you'll get.
>
> I've tried on three different servers (with ver simillar configuration,
> however) and they all behaved the same way.
>
> Anybody with this behavior?
>
> ---
> Luiz Lima
> Image Link Internet
> http://www.imagelink.com.br