Bugtraq mailing list archives

Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability

From: Michael Brennen <mbrennen () FNI COM>
Date: Wed, 21 Mar 2001 11:18:03 -0600

On Mon, 19 Mar 2001, Microsoft Security Response Center wrote:

Personal Web Server is, of course, not intended to host web
sites on the Internet.  It's only intended to be used in
protected environments such as home networks and the like.  If
you're hosting an Internet site, IIS is the appropriate product
to use.  Regards,

Scott Culp
Security Program Manager
Microsoft Security Response Center


This response is an attempt to redefine a problem out of existence
rather than fix it.  Or have we forgotten that Microsoft's own
network was broken while running its 'appropriate products' (without
'appropriate patches', of course)?

It does not matter for what purpose PWS is running.  Given that PWS
runs with FP, and that it may be running for long web site
development sessions, that it is running at all is sufficient to put
the machine at risk.  Or is PWS not vulnerable when running with FP?

The 'of course' above is not at all obvious. Does FP document that
web site development should only be done on a protected network?
Where is PWS prominently labeled as inappropriate for use on the
public Internet? Or should it be intuitively obvious that because of
the use of 'personal' in its name one should only use it on a
protected network?

It is one thing to be designed not to carry much traffic or have
many configuration options; it is quite another to be insecure.
That a machine running PWS may be at risk, and that Microsoft
understands this and has chosen not to fix it, is the tacit
conclusion of Mr. Culp's response.

The stark reality is that home computers are generally the least
protected on the Internet.  Given the known bugs and security design
flaws in Windows (OS, IE, Outlook, and related software), and that
most home computer users do not understand the bugs or security
issues involved, probably rarely if ever update security patches,
and are increasingly connected with unprotected always on
connections, they are also among the most vulnerable.  Or do we
forget about trinoo and kin, unprotected drive shares, and others?

And this is the protected home network environment where Microsoft
expects PWS to be run for security reasons?

   -- Michael

Current thread:

Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability Dinos Pastos (Mar 19)
- <Possible follow-ups>
- Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability Microsoft Security Response Center (Mar 20)
  - Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability Dinos Pastos (Mar 20)
  - Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability David F. Skoll (Mar 20)
  - Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability Michael Brennen (Mar 21)
  - Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability Robert Bihlmeyer (Mar 21)