Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1996_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1996: Microsoft IIS '..' Problem

Microsoft IIS '..' Problem

Thomas Lopatic (lopaticdbs.informatik.uni-muenchen.de)
Fri, 26 Jul 1996 20:41:13 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: William McVey: "Re: bin owned system files"
Previous message: Matthew G. Harrigan: "Re: Zolaris 2.5 Exploited."
In reply to: Matthew G. Harrigan: "Re: HPUX expreserve == SunOS 4.13 expreserve?"
Next in thread: John Ladwig: "Re: Microsoft IIS '..' Problem"

> > and there is another
> >'..' error in their Internet Information Server. Anyone offering more?
>
> I have yet to see this error in IIS. Where and how does it exist?

Sorry for not disclosing. I thought I had seen that one on bugtraq. Suppose
there is a document 'http://dummy.com/Public/Index.htm' and 'Index.html' is
'C:\inetsrv\wwwroot\Public\Index.htm'. Then try getting
'http://dummy.com/Public/../../../autoexec.bat' which will give you
'C:\autoexec.bat'. It seems, however, that the first directory ('Public')
will be necessary, i. e. 'http://dummy.com/../../autoexec.bat' won't
work.

But now back to the Unix things.
-Thomas

--
Thomas Lopatic                               lopaticinformatik.uni-muenchen.de

Next message: William McVey: "Re: bin owned system files"
Previous message: Matthew G. Harrigan: "Re: Zolaris 2.5 Exploited."
In reply to: Matthew G. Harrigan: "Re: HPUX expreserve == SunOS 4.13 expreserve?"
Next in thread: John Ladwig: "Re: Microsoft IIS '..' Problem"