Home page logo

bugtraq logo Bugtraq mailing list archives

Re: personal web server directory traversal vulnerability patch
From: Gary Flynn <flynngn () jmu edu>
Date: Thu, 14 Jun 2001 17:01:38 -0400

David Raitzer wrote:

I assembled an effective patch for the UNICODE directory traversal
vulnerability issue in Microsoft Personal Web Server 4.0 for Windows 95/98,
which was noted previously on this list.  It can be downloaded at:


I was spending my morning trying to decide how to address this issue
and saw your email. Talk about timing. :)

Being responsible (paranoid?), I wanted to verify the patch files
against the Microsoft equivalents. I had assumed that you mixed and
matched existing Microsoft dlls and exes from the various patches and 
created your own installer.

I unpackaged the -010 and -078 patches and tried to do file compares.
Many of the .DLL files in your package didn't match files in either
Microsoft package.

I also couldn't find some of the version numbers included in your package 
on the Microsoft DLL Help database.

Anyway, I was curious where these files came from. Did you use a binary
editor to patch them or recreate them from scratch somehow? Or am I just 
looking in the wrong places?

Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]