Re: MS Personal Web Server

Rubens Kuhl Jr. (rkuhljr@PUERIDOMUS.BR)
Mon, 23 Mar 1998 02:20:56 -0300

What version of MS PWS does this apply to ?

NT Option Pack includes IIS 4.0 for NT Server, PWS 4.0 for NT Workstation
and PWS 4.0 for Windows 95, and I would think (although I haven't tested to
be sure) that this doesn't affect PWS 4.0/Win95.

Rubens Kuhl Jr.

> -----Original Message-----
> From: Lynn Kyle [SMTP:lynn@RAINC.COM]
> Sent: Sunday, March 22, 1998 2:15 PM
> To: BUGTRAQ@NETSPACE.ORG
> Subject: MS Personal Web Server
>
> Has this been reported?
>
> The MS Personal Web Server (tried on the win95, not NT) suffers
> from the old IIS 3.0 unpatched bug of allowing you to download
> asp files by using a trailing ".".
>
> e.g.,
>
> telnet victim 80
> GET /default.asp. HTTP/1.0
>
> will give you the contents of the asp not the result.
> oops for any of you embedding a db login/pass in the asp.
>
> Mike