I find this methodology from Microsoft to be pretty brazen. Especially when one of the "features" of the new operating systems incorporating the personal web server was just that... You could host a website for you and your friends on your high speed home network connection, without having to upgrade to the more expensive NT / Win2K package. Seems to me this is a simple way for Microsoft to cop out on a security issue. Or, in other words, an out and out pass the buck. If it was TRULY not intended for use on the internet, why would MS enable it on all IP addresses? Either fix the problem, or at least own up to it Microsoft. You provided a "feature" in a "paid for" package that has a security flaw. Taking the stance of "Well, we gave it to you, but it isn't meant to be used" is just plain bovine fecal matter. Toll_Free -----Original Message----- From: Microsoft Security Response Center [mailto:[EMAIL PROTECTED]] Sent: Monday, March 19, 2001 2:18 PM To: [EMAIL PROTECTED] Subject: Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability Hi All - Personal Web Server is, of course, not intended to host web sites on the Internet. It's only intended to be used in protected environments such as home networks and the like. If you're hosting an Internet site, IIS is the appropriate product to use. Regards, Scott Culp Security Program Manager Microsoft Security Response Center -----Original Message----- From: Dinos Pastos [mailto:[EMAIL PROTECTED]] Sent: Sunday, March 18, 2001 2:16 AM To: [EMAIL PROTECTED] Subject: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability Hi all... Just wanted to point out that while testing my Default installation of Windows 98 running Microsoft Personal Web Server that came with the Windows98 SE CD I discovered that the famous IIS 4/5 Unicode Directory Traversal Vulnerability applies also to this Server just as bad as in IIS. The exploit method is the same : http://PWS-server/scripts/..%c1%9c../windows/notepad.exe I wont go in to detail on how to exploit a Windows machine... (Sorry script kiddies)... Patches: Dunno. Quickfixes: Use Linux. Dinos Pastos - [EMAIL PROTECTED] Security Advisor