To: Security Express (SD397643)
Re: SANS Windows Security Digest Vol. 4 Num. 4

Please notify us if you receive this more than once by sending the SD
number(s) to dupsans.org . Thanks!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

**********************************************************************

                   The SANS Windows Security Digest
    A Resource for Computer and Network Security Professionals
                         Volume 4, Number 4
                            April 30, 2001

             Dr. Jesper M. Johansson (Boston University)

Editorial Board:
     Dr. Matt Bishop (Univ. California, Davis)
     Jeffrey W. Brown
     Phil Cox (SystemExperts Corp.)
     Mark T. Edmead (KPMG Information Risk Management Group)
     Chris Lalka (ExxonMobil)
     Steve Lewis (PROintelligent)
     Eric Maiwald (Fortrex)
     Rob Marchand (VoiceGenie Technologies),
     Dr. Gene Schultz (University of California-Berkeley Lab)

Copyright 2001. The SANS Institute. All rights reserved.

You may forward this issue to your co-workers and encourage them to
subscribe. To do so, send a note with the subject "NT Digest" to
digestsans.org

We are now signing the Windows Security Digest with PGP. The new SANS'
PGP key is posted at
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can also be accessed from the SANS web site (http://www.sans.org)

**********************************************************************

Welcome to the April 2001 installment of the Windows Security Digest.
We only have three new Microsoft security bulletins to tell you about
this month, and one of them corrected a regression error in an existing
patch. The other are for a DoS condition in ISA server and a
vulnerability in Internet Explorer discovered earlier in the month. We
actually have no other Internet Explorer issues to tell you about, other
than those that were fixed in the bulletins. However, there is a new
attack tool available which can be used to compromise Windows
networking. More on that, and some workarounds, in item 2.1.4. A new
version of the popular password cracking tool L0phtCrack was also
released. See item 2.1.3 for that story.

JMJ

************* This issue Sponsored by SurfControl, Inc. *************

WARNING: Networks bottleneck and costs climb as workers squander hours
online - casual surfing, downloading MP3s, video and other bandwidth
hogs.

Install SurfControl on your network and in 20 minutes you'll know
exactly WHO is doing WHAT, WHEN and WHERE on the Internet. SurfControl
monitors, records and manages all TCP/IP protocols.

FREE 30-Day Trial: http://www.surfcontrol.com/promo/SSD0428

**********************************************************************

Table of Contents
1. Microsoft Security Bulletins
1.1. MS01-015 v. 2 - IE can Divulge Location of Cached Content
1.2. MS01-021 - Invalid Web Request Can Cause Access Violation in ISA
     Server Web Proxy Service
1.3. MS01-022 - WebDAV Service Provider Can Allow Scripts to Levy
     Requests as User

2. Microsoft Software Issues

2.1. All/Other Microsoft Software Issues
2.1.1. ISA server configuration error can cause denial of service
2.1.2. Windows FTP client buffer overflow
2.1.3. New version of L0phtCrack
2.1.4. New attack tool for Windows networking

3. Third-Party Software Issues
3.1. Buffer overflows discovered this month
3.2. Other Remote Denial of Service (DoS) Attacks discovered this month
3.3. TrendMicro ScanMail for Exchange 3.5 stores unprotected passwords
     in the registry
3.4. Roxio EZ-CD Creator 5.0 disables screen saver passwords
3.5. Veritas BackupExec IDR may fail on Microsoft Small Business Server
     2000
3.6. Netscape Navigator 4.76 can transmit history to servers
3.7. PGP allows creation of file on user's computers
3.8. Eudora can leak local files
3.9. Opera stops prompting for file download
3.10. Computer Associates' CCC\Harvest uses very weak encryption
3.11. G6 FTP Server 2.0 vulnerabilities
3.12. Directory traversal bug in Viking web server
3.13. RaidenFTPD v2.1 directory traversal bug and fix
3.14. WebXQ v2.1.204 directory traversal bug and fix

=======================================================================
1. Microsoft Security Bulletins
1.1. MS01-015 v. 2 - IE can Divulge Location of Cached Content

This is an update to a bulletin from March 2001. The March issue of this
bulletin contained four patches:

* The IE can divulge location of cached content patch
* A patch against a new variant of the frame domain verification
vulnerability using Internet Explorer
* A patch against a frame domain verification vulnerability using
Windows Scripting Host
* A patch against the telnet invocation vulnerability on systems that
have the Services for Unix installed.

This bulletin was re-released on April 20, 2001, after Microsoft
discovered a regression error in the Windows Scripting Host patch. The
latest version of the bulletin announces a new version of that patch.
The other three patches issued with the original bulletin remain
unchanged.

The effect of the regression error was reported by Georgi Guninski on
March 31. He discovered that a script on a web page could invoke the
MSScriptControl.ScriptControl object and then have that object evaluate
script code passed to it. Script code passed to the
MSScriptControl.ScriptControl object executed outside the sandbox
normally imposed on scripts allowing it to take actions not normally
allowed, such as reading a file on the user's hard drive. The patch
eliminates this issue by restoring the sandbox on the
MSScriptControl.ScriptControl. Guninski later issued another advisory
claiming that you could use XML Stylesheets (XSL) to run VBScript code
to read files local to the user's hard drive. However, that exploit also
used the MSScriptControl.ScriptControl object, and hence it also fails
on a system that is updated to the latest Windows Scripting Host patch.

To determine whether a particular computer is still vulnerable to the
regression error in the Windows Scripting Host patch you need to
investigate the version number of either
%systemroot%/system32/jscript.dll or %systemroot%/system32/vbscript.dll.
If the first two digits of the version number is either 5.1 or 5.5 AND
the last four digits are 6330 or greater, the system is fully patched.
If the version is anything else, the system is vulnerable. If the
version of either of these files is less than 5.1 it is vulnerable, but
the patch cannot be applied. In that case, you must upgrade to the new
version of the Windows Scripting Host instead.

To patch a system, install the newest version of the Windows Scripting
Host. Version 5.1 is normally used with Internet Explorer 5.1 and
version 5.5 with Internet Explorer 5.5. However, there is no harm in
using either one regardless of which version of IE is on the system.
The newest versions are available at:

* WSH 5.1:
http://www.microsoft.com/msdownload/vbscript/scripting51.asp
* WSH 5.5
http://www.microsoft.com/msdownload/vbscript/scripting.asp

These issues been issued the following CVE candidate numbers:
* Cached content identifier vulnerability: CAN-2001-0002
* New variant of "frame domain verification" vulnerability:
CAN-2001-0148
* Windows Script Host vulnerability: CAN-2001-0149
* Telnet invocation vulnerability: CAN-2001-0150

For more information see:
* Microsoft Security Bulletin MS01-015
http://www.microsoft.com/technet/security/bulletin/MS01-015.asp
* Microsoft Knowledge Base (KB) article Q286045 "Patch Available for
Cached Content Identification Vulnerability"
http://www.microsoft.com/technet/support/kb.asp?ID=286045
* Microsoft Knowledge Base (KB) article Q280768 "INFO: Update Available
for "Cross-Domain File Reading Vulnerability" Issue"
http://www.microsoft.com/technet/support/kb.asp?ID=280768
* Microsoft Knowledge Base (KB) article Q286043 "Patch Available for
Telnet Logging Vulnerability"
http://www.microsoft.com/technet/support/kb.asp?ID=286043
* The CVE Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0002
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0148
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0149
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0150

1.2. MS01-021 - Invalid Web Request Can Cause Access Violation in ISA
     Server Web Proxy Service

This bulletin announces a patch against a Denial of Service
vulnerability in Microsoft ISA Server 2000. This vulnerability,
discovered by the SecureXpert Labs would result in a shutdown of all
web proxy services across the ISA server.

Web Proxy is used by ISA both to proxy internal requests to external
web servers, and to proxy external requests to internal web servers.
There are two ways to exploit this vulnerability from the outside. The
first is that an attacker persuades an internal user to make a malformed
request to an external web server. If the Web Publishing feature is
turned on (it is not by default) the attacker can make a malformed
request to an internal web server that is published through ISA server,
also triggering the attack.

The attack is very simple to exploit, requiring only a very long path
field in a URL. Microsoft originally claimed that this buffer overflow
was not exploitable. However, dark spyrit has reported that it indeed
is exploitable, at least some of the time. This significantly raises
the threat posed by this issue.

Note that the SecureXpert Labs also released a denial of service exploit
for this vulnerability along with their advisory. Therefore,
administrators are highly recommended to install the patch as soon as
possible. It is available at:

http://download.microsoft.com/download/ISAServer2000/webproxy/
Q295279/NT5/EN-US/isahf63.exe

This issue has received CVE Candidate number CAN-2001-0239

For more information see:
* Microsoft Security Bulletin MS01-021
http://www.microsoft.com/technet/security/bulletin/MS01-021.asp
* Microsoft Knowledge Base (KB) article Q295279 "Web Proxy Service
Crashes If URL Requests a Specifically Malformed Argument"
http://www.microsoft.com/technet/support/kb.asp?ID=295279
* The CVE Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0239

1.3. MS01-022 - WebDAV Service Provider Can Allow Scripts to Levy
     Requests as User

This bulletin announces a patch for an attack announced by Georgi
Guninski in March 2001 (see item 3.3.1 in the March 2001 Windows
Security Digest). The vulnerability is in a component of the Web
Distributed Authoring and Versioning (WebDAV) web-based collaboration
functionality that ships with various Microsoft products, such as all
current operating systems and Microsoft Office.

WebDAV includes a component called the Microsoft Data Access Component
Internet Publishing Provider (MSDAIPP). This component is used to
provide an MDAC interface to a data resource on a web site, such as a
file or an Exchange Server web mailbox. The problem with this component
is that it does not check the source of requests for its services. If
the source is a script on a web page or in an HTML formatted e-mail,
its access rights should be those of the web page or the HTML e-mail.
However, the MSDAIPP component will levy those requests in the context
of the user that executed the script instead. If the requested resource
is in a domain that the user has already authenticated to the access is
automatically authenticated.

To determine whether a particular system is vulnerable, check the
version of the following file:

%systemdrive%\Program Files\Common Files\System\Ole DB\msdaipp.dll

(this is the typical location of this file, but it could vary on any
given system).

The following versions are vulnerable:
* 8.102.1403.0
* 8.103.2402.0
* 8.103.2519.0

A patch is available at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29129

This issue has received CVE Candidate number CAN-2001-0238

For more information see:
* Microsoft Security Bulletin MS01-022
http://www.microsoft.com/technet/security/bulletin/MS01-022.asp
* Microsoft Knowledge Base (KB) article Q296441 "WebDAV Service Provider
Can Allow Scripts to Levy Requests as a User"
http://www.microsoft.com/technet/support/kb.asp?ID=296441
* The CVE Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0238
* The March 2001 SANS Windows Security Digest
http://www.sans.org/newlook/digests/ntdigest.htm

2. Microsoft Software Issues

2.1. All/Other Microsoft Software Issues
2.1.1. ISA server configuration error can cause denial of service

Peter Gründl of DefCom warns of a configuration issue with Microsoft
Internet Security and Acceleration server (ISA server) 2000. If the
"Event Log Failure" setting is turned on in ISA server, ISA server will
spawn a command shell each time it fails to write to the event log. The
default setting for the event logs in Windows 2000 is not to overwrite
events as needed. Therefore, an attacker can launch a large number of
bad packets against an ISA server installation, causing it to fill up
the event log. Once the event log is full, the server will spawn new
shells each time a bad packet is received, potentially using up a
considerable amount of memory and processing power on the victim server.

Microsoft has documented this behavior in Q284800. We recommend that
the event logs on the ISA server be set to a large size and to overwrite
events as needed to prevent a denial of service condition when the logs
fill up. In a high security environment, it may be preferable to cause
the system to shut down when the logs fill up. Such a decision should
be made clear in the organizational security policy.

2.1.2. Windows FTP client buffer overflow

DefCom Labs reported a buffer overflow in the FTP client that ships with
several Windows operating systems. This buffer overflow was actually
reported in 1999. Since the overflow executes with the privileges of
the user that launched the FTP client, there is no exposure unless an
unprivileged user can cause an Administrator to execute a malicious FTP
script. There is no patch for this issue at this point, but
administrators are warned against executing FTP scripts without first
evaluating whether they have been modified by unprivileged users.

2.1.3. New version of L0phtCrack

There is a new version of the venerable password cracking tool
L0phtCrack available. L0pht Heavy Industries was absorbed by Stake some
time ago, and Stake, under the name Security Software Technologies,
Inc., has recently released L0phtCrack 3.0. The new version is capable
of reversing syskey encryption of hashes retrieved from the local hash.
It is also network aware and can dump password hashes from a remote
machine, as long as the remote machine is not syskeyed (thus rendering
it incapable of doing so from a Windows 2000 target). Furthermore, it
makes password cracking easier by including a wizard which walks novice
users through the steps necessary. Lastly, it includes the ability to
crack passwords but not show what the password was, only that it was
cracked, rendering it more socially acceptable.

2.1.4. New attack tool for Windows networking
Sir Dystic of the Cult of the Dead Cow, released a new attack tool for
Windows networking at lanta.con on March 31, 2001. The tool is called
SMBRelay, and is used to connect back to SMB clients.

The way the tool works is by capturing the password hashes the SMB
client on a host passes to a server in the process of making an SMB
connection. The tool then uses these hashes to connect back to the SMB
Server on the original client host. The tool sets up a listener on port
139 and waits for clients to connect to it. As soon as a client does,
the tool makes a connection back to port 139 on the client. As the
client passes the authentication information to the tool, the tool
passes them back to port 139 on the client, thus completing the
connection. At the end of the negotiation process, the tool sets up a
special interface on the attackers machine that represents the victim.
The attacker can now use this interface to map shares on the victim and
act as the user that made the original connection to the attacker's
server.

The exploit is extremely fickle with regards to how the connections are
made. In our test scenario we were able to use it to capture password
hashes, but we were unable to actually make a reverse connection.
Nevertheless, this could be a dangerous tool. Therefore, certain steps
are warranted to ensure that its impact is minimized:

1. Remove or disable the Server service (File and Print Services for
Microsoft Networks) on all machines that do not need it.
2. The tool will capture the credentials that are passed automatically
when the client connects. Those are the credentials that the currently
logged on user logged on with. By ensuring that users do not log on as
an administrator you minimize the impact those credentials could have.
3. The tool needs the client to initiate the connection to the attackers
server. Beware of any html links to URLs such as file:// address
here> or "\\<ip address>\share.
4. Ensure that both incoming and outgoing SMB is blocked at the firewall
by blocking ports 139 and 445 TCP and UDP at the firewall.
5. Disable LanMan hashes on the network by setting the
LMCompatibilityLevel on your clients to 3.
6. Disable storing of LanMan hashes. On Windows 2000 you can disable
storing of LanMan hashes completely by setting a registry value:
Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Control\NoLMHash

Note, this is a key, not a value. Creating this key will result in no
LanMan hashes being created for new user accounts and when an existing
user changes his/her password. This functionality is going to be fully
supported in Windows Whistler/XP, through Group Policy. Setting this
value on a domain will cause no LanMan hashes to be generated when
domain accounts have passwords changed or set. Remember, however, that
this will break compatibility with some very old down-level clients.

3. Third-Party Software Issues
3.1. Buffer overflows discovered this month
Buffer overflows can generally be used to execute arbitrary code on the
victim host. Many buffer overflows are discovered each month. We report
the ones we know about here. In addition, we have tried to give you a
little more information in a concise format. To that end, certain items
are marked with an (F) and/or (E). (E) means that an exploit for this
issue is publicly available. (F) means that a fix is available
currently. We have also, in some cases, included a URL after the item.
That URL points to either a fix, if one is available, or to the vendor's
web site, if we know it.
* (F) Symantec Ghost 6.5 (Fixed in version 7.0. The flaw is in the
Sybase database engine that ships with Ghost)
* Sybase Adaptive Server Anywhere Database Engine V6.0.3.2747
* (F) Netscape SmartDownload (fixed in version 1.4:
http://home.netscape.com/download/smartdownload.html)
* (F) iPlanet Web Server Enterprise Edition 4.0 and 4.1 (a fix is
available at
http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html)
* (F) CrossWind CyberScheduler (The most recent version, available at
http://www.crosswind.com/download.htm, has fixed this issue)
* (F) IPSwitch IMail 6.06 (patch is available at
http://ipswitch.com/support/IMail/patch-upgrades.html)

3.2. Other Remote Denial of Service (DoS) Attacks discovered this month
Buffer overflows can also be used to perpetrate DoS attacks. In
addition, DoS attacks can be launched many other ways, as well. In this
section, we report new DoS attacks that we know about. Some are
discussed in more detail below. (F) means that there is a
vendor-supplied fix available
* (F) Inframail v3.97a (fixed in v 3.98a, http://www.infradig.com)
* (F) Navison Financials Server v. 2.5 and 2.6 (a patch is available
from Navison: http://www.navison.com)
* 602Pro LanSuite v. 2000a
* Savant 3.0
* (F) Lotus Domino R5 prior to 5.0.7 (fixed in v. 5.0.7, available at
http://www.notes.net/qmrdown.nsf/QMRWelcome)
* (F) Symantec Ghost 6.5 (Fixed in version 7.0)
* IBM WebSphere 3.12

3.3. TrendMicro ScanMail for Exchange 3.5 stores unprotected passwords
in the registry

Jon Maucher and Bill Wall discovered that TrendMicro's ScanMail for
Exchange version 3.5 stores passwords in an unsafe manner. The product
captures the Windows user name, domain name, and password of the last
user to log on to the system where ScanMail is installed. These values
are stored in obfuscated form in the following registry keys:

Hive: HKEY_LOCAL_MACHINE
Key: Software\TrendMicro\ScanMail for Exchange\RemoteManagement
Key: Software\TrendMicro\ScanMail for Exchange\UserInfo

These keys are world-readable.

TrendMicro has produced a patch for this issue. It is available on the
TrendMicro web page: http://www.antivirus.com.

3.4. Roxio EZ-CD Creator 5.0 disables screen saver passwords

Shawn Hanley of Dyncorp reported to us that Roxio (Adaptec spun off
their CD burner software business into Roxio earlier this year) EZ CD
Creator up through 5.0 will disable your screen saver passwords. This
happens when a user creates a CD layout and then runs the test option.
A normal burn, without a test, does not disable the password. Hanley
has notified Roxio, but has received no response.

3.5. Veritas BackupExec IDR may fail on Microsoft Small Business Server
     2000

Veritas Software issued an advisory that their Intelligent Disaster
Recovery (IDR) agent may not work properly on Microsoft Small Business
Server 2000. Microsoft registers a number of COM objects in the registry
using 8.3 directory names that are generated dynamically. During an
Intelligent Disaster Recovery, a minimal operating system is installed
prior to recovery. That installation contains many of these COM object
registrations, but the directory names may not be the same as those
created in the original installation, causing various functionality to
fail. Veritas recommends that the IDR functionality not be used with
Small Business Server 2000 until this issue is resolved.

For more information, see the Veritas advisory at:
http://seer.support.veritas.com/docs/235745.htm

3.6. Netscape Navigator 4.76 can transmit history to servers

Florian Wesch reported that an attacker can trick Netscape Navigator
4.76 into transmitting a user's browsing history to a malicious server.
The trick is accomplished by embedding script in the comment for an
image on a web page. The comments execute using the "about" protocol,
and thus have access to about:global, which contains the browser
history.

This behavior was fixed in Navigator 4.77.

3.7. PGP allows creation of file on user's computers

The stake labs issued an advisory regarding PGP. PGP supports ASCII
armored files, which can contain keys, signatures, and also entire
files. It is possible to embed an arbitrary binary file in such an
armored file. When the ASCII armored file is parsed, the embedded binary
file is extracted and stored in the same directory as the armored file.

Network Associates, which maintains PGP, has issued patches for PGP 7.03
Freeware, and the licensed version 7.04:

* 7.04
http://download.nai.com/products/licensed/pgp/desktop_security/windows/
version_7.04/hotfix/PGPDS704Hotfix1.zip
* 7.0.3
http://download.nai.com/products/freeware/pgp/windows/version_7.03/
hotfix/PGPfreeware703Hotfix1.zip

The Stake advisory contains additional details, and users who
"effected[sic] by this issue" are advised to read the advisory at:
http://www.atstake.com/research/advisories/2001/a040901-1.txt

3.8. Eudora can leak local files

Magnus Bodin reported a file leakage problem with all known versions of
Eudora. In order to save space Eudora extracts attachments from incoming
messages and stores them in a temporary directory on the user's hard
drive. The attachment is replaced by the text

Attachment converted: "<path to stored attachment>"

An attacker could create an e-mail that contained a statement such as

ttachment converted: "c:\winnt\repair\sam"

(it is deliberately misspelled to prevent Eudora users from forwarding
their password database to us)

This statement would not be removed from the incoming e-mail. If the
recipient forwarded the e-mail to someone, for example, the attacker,
the file the attacker specified would be included in the forwarded
e-mail.

Qualcomm was notified of this several years ago, but has not yet
resolved this disturbing behavior.

3.9. Opera stops prompting for file download

http-equiv reported a problem with the free Opera 5.02 build 856a web
browser. As is usual, when a user attempts to download a file from a
web site, the open/save dialog is presented. However, if the user
chooses open for a particular file, the browser sets this to the default
for that file type from then on. In other words, if the user chooses to
open an executable directly without first storing it to the file system,
s/he will never be prompted before downloading and running another
executable again.

3.10. Computer Associates' CCC\Harvest uses very weak encryption

Computer Associates' CCC\Harvest source code control software version
5.0 uses an extremely weak password encryption scheme. The scheme,
basically a character substitution cipher, can be reverse engineered by
any user on the system to obtain the substitution matrix. Once that
matrix is built it is a trivial matter to reverse engineer any password
defined by the application.

3.11. G6 FTP Server 2.0 vulnerabilities

The stake Labs issued an advisory regarding Gene6's G6 FTP Server 2.0.
The program supports several commands, such as "size" and "mdtm". If
the "show relative paths" option has not been set in the server
configuration, an attacker can run those commands against files outside
the FTP root. While the attacker cannot execute any files outside the
FTP root, this could provide her with information about the file system
on the server. Furthermore, these commands can specify a UNC path. If
the attacker controls the UNC path, the server can be made to transmit
the Windows credentials automatically, depending on the underlying
operating system running on the FTP server. This could result in
complete compromise of the FTP server.

The vendor has made an upgrade available that fixes these issues. The
name of the product has changed to BPFTP Server 2.10. It is available
at: http://www.bpftpserver.com/download.html

3.12. Directory traversal bug in Viking web server

A report was posted regarding a directory traversal bug in Viking web
server 1.07 and earlier. This is fixed in 1.07-381, available at:
http://www.robtex.com

3.13. RaidenFTPD v2.1 directory traversal bug and fix

Joe Testa reported a directory traversal bug in RaidenFTPD v2.1. It
affects multiple builds, but was fixed in build 952. That build is
available from http://playstation2.idv.tw/raidenftpd/download.html.

3.14. WebXQ v2.1.204 directory traversal bug and fix

Joe Testa reported a directory traversal bug in the WebXQ v2.1.204 web
server. The problem was fixed in version 2.1.205, available at:
http://www.datawizard.net/Free_Software/WebXQ_Free/webxq_free.htm.

=======================================================================

The SANS Windows Security Digest is available at no cost to all system,
network, and security professionals who work with Windows. To subscribe,
email digestsans.org with the subject Windows Security Digest. Back
issues are available at http://www.sans.org/newlook/digests/ntdigest.htm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE67W85+LUG5KFpTkYRAkj7AJ96NhzQUQKAnU61zd8l7jFC98sXqgCglTQy
03NMELNzEs5W1m0qLunoVFc=
=QOl0
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]