CAN-1999-0776

TheMSsForum.com: The Microsoft Software Forum

Is there a kb article for this IIS vulnerability?
Top

Re: CAN-1999-0776 by Roger

Roger
Wed Nov 02 23:05:52 CST 2005

Am I missing something ?
IIS is not the Alibaba HTTP server but as MS only markets IIS then
why would they issue a KB on this ?

--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"jkavanagh58" <jkavanagh58@discussions.microsoft.com> wrote in message
news:5CDAB813-A403-4CF3-96A1-D973AEF867B4@microsoft.com...
> Is there a kb article for this IIS vulnerability?


Top

Re: CAN-1999-0776 by jkavanagh58

jkavanagh58
Thu Nov 03 10:00:10 CST 2005

It is an IIS vulnerability. This CAN does apply to IIS, meaning using the
dots you can access system files.

"Roger Abell [MVP]" wrote:

> Am I missing something ?
> IIS is not the Alibaba HTTP server but as MS only markets IIS then
> why would they issue a KB on this ?
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "jkavanagh58" <jkavanagh58@discussions.microsoft.com> wrote in message
> news:5CDAB813-A403-4CF3-96A1-D973AEF867B4@microsoft.com...
> > Is there a kb article for this IIS vulnerability?
>
>
>
Top

Re: CAN-1999-0776 by Paul

Paul
Thu Nov 03 13:05:58 CST 2005

In article <86189C9C-1E64-4E03-87DB-B1809E909963@microsoft.com>, in the
microsoft.public.security news group, =?Utf-8?B?amthdmFuYWdoNTg=?=
<jkavanagh58@discussions.microsoft.com> says...

> It is an IIS vulnerability. This CAN does apply to IIS, meaning using the
> dots you can access system files.
>

Where do you see that this applies to IIS? This hasn't even been
accepted for inclusion in the CVE list and given the fact that it was
put forward for inclusion on 12/14/99 and still hasn't been accepted one
can safely assume that it won't be.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea
Top

Re: CAN-1999-0776 by jkavanagh58

jkavanagh58
Thu Nov 03 13:48:03 CST 2005

Well maybe it is not IIS, but it is an opening. Sorry to have wasted
everyone's time.

"Paul Adare" wrote:

> In article <86189C9C-1E64-4E03-87DB-B1809E909963@microsoft.com>, in the
> microsoft.public.security news group, =?Utf-8?B?amthdmFuYWdoNTg=?=
> <jkavanagh58@discussions.microsoft.com> says...
>
> > It is an IIS vulnerability. This CAN does apply to IIS, meaning using the
> > dots you can access system files.
> >
>
> Where do you see that this applies to IIS? This hasn't even been
> accepted for inclusion in the CVE list and given the fact that it was
> put forward for inclusion on 12/14/99 and still hasn't been accepted one
> can safely assume that it won't be.
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern
> computer geeks finds it impossible to detect a joke that is not clearly
> labeled as such."
> Ray Shea
>
Top

Re: CAN-1999-0776 by Roger

Roger
Thu Nov 03 17:23:38 CST 2005

also, it is about a product no longer marketed

--
Roger
"Paul Adare" <padare@newsguy.com> wrote in message
news:MPG.1dd4299f744f0afd989f2e@msnews.microsoft.com...
> In article <86189C9C-1E64-4E03-87DB-B1809E909963@microsoft.com>, in the
> microsoft.public.security news group, =?Utf-8?B?amthdmFuYWdoNTg=?=
> <jkavanagh58@discussions.microsoft.com> says...
>
>> It is an IIS vulnerability. This CAN does apply to IIS, meaning using
>> the
>> dots you can access system files.
>>
>
> Where do you see that this applies to IIS? This hasn't even been
> accepted for inclusion in the CVE list and given the fact that it was
> put forward for inclusion on 12/14/99 and still hasn't been accepted one
> can safely assume that it won't be.
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern
> computer geeks finds it impossible to detect a joke that is not clearly
> labeled as such."
> Ray Shea


Top

Re: CAN-1999-0776 by Roger

Roger
Thu Nov 03 17:25:09 CST 2005

No problem, but FYI

IIS can allow or disable use of ..\ traversal up the parent paths,
based on how it is configured. If allowed, NTFS access checks
are still used to prevent going where the account should not.

--
Roger
"jkavanagh58" <jkavanagh58@discussions.microsoft.com> wrote in message
news:153B2AEE-AED6-4F93-84BB-B4C3426E7FAD@microsoft.com...
> Well maybe it is not IIS, but it is an opening. Sorry to have wasted
> everyone's time.
>
> "Paul Adare" wrote:
>
>> In article <86189C9C-1E64-4E03-87DB-B1809E909963@microsoft.com>, in the
>> microsoft.public.security news group, =?Utf-8?B?amthdmFuYWdoNTg=?=
>> <jkavanagh58@discussions.microsoft.com> says...
>>
>> > It is an IIS vulnerability. This CAN does apply to IIS, meaning using
>> > the
>> > dots you can access system files.
>> >
>>
>> Where do you see that this applies to IIS? This hasn't even been
>> accepted for inclusion in the CVE list and given the fact that it was
>> put forward for inclusion on 12/14/99 and still hasn't been accepted one
>> can safely assume that it won't be.
>>
>> --
>> Paul Adare
>> MVP - Windows - Virtual Machine
>> http://www.identit.ca/blogs/paul/
>> "The English language, complete with irony, satire, and sarcasm, has
>> survived for centuries without smileys. Only the new crop of modern
>> computer geeks finds it impossible to detect a joke that is not clearly
>> labeled as such."
>> Ray Shea
>>


Top