mailing list archives
.htr bug still exist after applying MS patches.
From: System1 <System () tiemiddleeast com>
Date: Tue, 30 Jan 2001 11:44:48 +0200
MS01-004 is out.
I sent few days ago this letter to microsoft:
From: Moran [mailto:Moran () TIEMIDDLEEAST com]
Sent: Saturday, January 20, 2001 4:55 PM
To: secure () microsoft com
Subject: .htr bug still exist after applying MS patches.
I have server running win2000 adv. server with IIS 5.
I have applied all relevant MS patches.
after I did it I checked for security problems and did as follow:
(the asp making a check with the SQL server for user name and password
and i get error of unknown login ID. thats fine.)
BUT when I did:
I get blank page and when I view the source I get this line:
so attacker now can know in which file my DSN details are located.
what im worried about is that attacker can imporve this method to show
the full asp file source.
notice that I added all MS patches and I can still do it.
is there any specific patch to prevent this ?
please let me know ASAP.
TIE Middle East Ltd.
mailto:moran () tiemiddleeast com <mailto:moran () tiemiddleeast com>
- .htr bug still exist after applying MS patches. System1 (Jan 30)