Vulnerability Development mailing list archives
Re: Has anyone verified whether is is valid?
From: marc () EEYE COM (Marc)
Date: Fri Apr 14 22:02:12 2000
There is no vulnerability. Yes the string "netscape programmers are weenies" is correct but, in order to even view the dll you need frontpage Web Author permissions which requires a user/pass pair or really crappy settings by the administrator. Once you have access to a FP web as Web Author its game over because you can upload files etc... For exaple you could upload netcat and cmd.exe to the cgi-bin folder and then bind cmd.exe to any given port. So no there is no new hole really. People have been taking advantage of lax FP permissions for years now. Signed, Marc eEye Digital Security http://www.eEye.com ------------------------ Time: Fri, 14 Apr 2000 14:55:19 -0000 From: M J <M J <lurker () ITIS COM>> Subject: Has anyone verified whether is is valid? Friday's top stories Microsoft admits security flaw By CBS MarketWatch Last Update: 9:07 AM ET Apr 14, 2000 NEW YORK (CBS.MW) -- Microsoft (MSFT </data/squote.htx? TICKER=MSFT&TABLES=table&SOURCE=htx/http2_mw&dist=newsq>: news <http://www.marketwatch.newsalert.com/bin/headlines? Query=MSFT&SearchOption=ticker>, msgs <http://messages.marketwatch.com/mwclub/tickerLink.asp? ticker=MSFT&dist=newsm>) acknowledged Thursday that its engineers included in some of its Internet software a secret password -- a phrase deriding their rivals at Netscape as "weenies" -- that could be used to gain illicit access to hundreds of thousands of Internet sites world- wide. The manager of Microsoft's security-response center, Steve Lipner, acknowledged the online-security risk in an interview Thursday and described such a backdoor password as "absolutely against our policy" and a firing offense for the as yet unidentified employees. The company planned to warn customers as soon as possible with an e-mail bulletin and an advisory published on its corporate Web site. Microsoft urged customers to delete the computer file- called "dvwssr.dll"-containing the offending code. The file is installed on the company's Internet-server software with Frontpage 98 extensions. While there are no reports that the alleged security flaw has been exploited, the affected software is believed to be used by many Web sites. By using the so-called back door, a hacker may be able to gain access to key Web-site management files, which could in turn provide a road map to such things as customer credit- card numbers, said security experts who discovered the password. -Matthew
Current thread:
- Has anyone verified whether is is valid? M J (Apr 14)
- Re: Has anyone verified whether is is valid? Joe (Apr 14)
- Re: Has anyone verified whether is is valid? Ron DuFresne (Apr 14)
- Re: Has anyone verified whether is is valid? Ryan Permeh (Apr 14)
- Re: Has anyone verified whether is is valid? Maxime Rousseau (Apr 14)
- <Possible follow-ups>
- Re: Has anyone verified whether is is valid? Hugo Gayosso (Apr 14)
- Re: Has anyone verified whether is is valid? Marc (Apr 14)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 14)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Marc (Apr 14)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 15)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Marc (Apr 15)
- Re: dvwssr.dll (Has anyone verified whether is is valid?) Blue Boar (Apr 14)
- Oulook password Hap2782 (Apr 15)
- Re: Oulook password Blue Boar (Apr 15)
- [Fwd: R: Oulook password] Blue Boar (Apr 15)