Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability

From: Microsoft Security Response Center <secure () MICROSOFT COM>
Date: Mon, 19 Mar 2001 12:17:37 -0800
Hi All -

Personal Web Server is, of course, not intended to host web sites on the
Internet.  It's only intended to be used in protected environments such
as home networks and the like.  If you're hosting an Internet site, IIS
is the appropriate product to use.  Regards,

Scott Culp
Security Program Manager
Microsoft Security Response Center

-----Original Message-----
From: Dinos Pastos [mailto:dinopio () LINUX COM CY] 
Sent: Sunday, March 18, 2001 2:16 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Microsoft - Personal Web Server Extended UNICODE Directory
Traversal Vulnerability


Hi all...

Just wanted to point out that while testing my Default installation of
Windows 98 running Microsoft Personal Web Server that came with the
Windows98 SE CD I discovered that the famous IIS 4/5 Unicode Directory
Traversal Vulnerability applies also to this Server just as bad as in
IIS.

The exploit method is the same :
http://PWS-server/scripts/..%c1%9c../windows/notepad.exe

I wont go in to detail on how to exploit a Windows machine... (Sorry
script kiddies)...

Patches: Dunno.
Quickfixes: Use Linux.

Dinos Pastos - dinopio () linux com cy
Security Advisor
Previous By Date Next
Previous By Thread Next

Current thread: