mockACTIVESTATE.COM

• Next message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-024)"
• Previous message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-023)"
• Next in thread: Alan Monaghan: "Re: More info on MS00-019"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Apr 07, 2000 at 12:25:33PM -0500, rain forest puppy wrote:
> In usual tradition, little information is to be had about the "Virtualized
> UNC Share" problem talked about in MS00-019. Luckily, MS was nice enough
> to submit an extra post to Bugtraq to give Adam Coyne credit.
>
> Anyways, for those of you interested in the problem, making a request for
> a file with a trailing '\' from a virtual directory hosted on a UNC share
> will cause the source to be given. So, for example:
>
> Virtual directory: /test/ -> \\some_server\share\
> There exists \\some_server\share\test.asp
>
> Now a simple request such as "GET /test/test.asp\ HTTP/1.0" will yeild the
> source of test.asp.
>
> - rain forest puppy
>
> ps. No, I'm not dead. Fun stuff coming up *very* soon. :)
>

Just did a quick test of this and the same thing works for perl scripts on NT
4.0 SP6a, IIS4.0 with ActivePerl 5.6 using either "perl.exe %s %s" in the
script mappings or "perlis.dll". I assume that it should work for perlex.dll
as well, though I haven't tried it. My advise is not to run any cgi's out of
virtual directories.

mock

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Next message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-024)"
• Previous message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-023)"
• Next in thread: Alan Monaghan: "Re: More info on MS00-019"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]