For a quick fix, rename ism.dll to ism.old, or something like that. You may
have to restart the Web service.
Brian
----- Original Message -----
From: "Mark G. Franz" <[EMAIL PROTECTED]>
To: "Cumhur KIZILARI" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Tuesday, January 09, 2001 7:48 AM
Subject: Re: Important
> Of course this is only true if the .htr extension application is
> available...
>
> -----Original Message-----
> From: Cumhur KIZILARI <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> <[EMAIL PROTECTED]>;
> [EMAIL PROTECTED]
> <[EMAIL PROTECTED]>
> Date: Tuesday, January 09, 2001 6:25 AM
> Subject: Important
>
>
> >From
> >http://www.guninski.com/iishtr.html
> >Georgi Guninski security advisory #33, 2001
> >IIS 5.0 allows viewing files using %3F+.htr
> >
> >Systems affected:
> >IIS 5.0 patched against the file fragment reading vulnerability
> >
> >Risk: Medium
> >Date: 8 January 2001
> >
> >Legal Notice:
> >This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute
it
> >unmodified.
> >You may not modify it and distribute it or distribute parts of it without
> >the author's written permission.
> >
> >Disclaimer:
> >The opinions expressed in this advisory and program are my own and not of
> >any company. The usual standard disclaimer applies, especially the fact
> that
> >Georgi Guninski is not liable for any damages caused by direct or
indirect
> >use of the information or functionality provided by this advisory or
> >program. Georgi Guninski bears no responsibility for content or misuse of
> >this advisory or program or any derivatives thereof.
> >
> >Description:
> >
> >IIS 5.0 allows viewing most types of CGI files if a special request is
> >performed.
> >
> >Details:
> >The following URL:
> >----------------------------------------
> >http://TARGETIIS/scripts/test.pl%3F+.htr
> >----------------------------------------
> >reveals the content of /scrips/test.pl instead of executing it.
> >This may giveway passwords in CGI and other stuff.
> >If you are not patched the following may work (not discovered by me):
> >http://TARGETIIS/scripts/test.pl+.htr
> >This does not work for some types of .ASP if they contain certain
> >characters.
> >
> >
> >
> >_________________________________________________________
> >Do You Yahoo!?
> >Get your free @yahoo.com address at http://mail.yahoo.com
> >
> >_______________________________________________
> >Perl-Win32-Users mailing list
> >[EMAIL PROTECTED]
> >http://listserv.ActiveState.com/mailman/listinfo/perl-win32-users
> >
>
> _______________________________________________
> Perl-Win32-Users mailing list
> [EMAIL PROTECTED]
> http://listserv.ActiveState.com/mailman/listinfo/perl-win32-users
_______________________________________________
Perl-Unix-Users mailing list. To unsubscribe go to
http://listserv.ActiveState.com/mailman/subscribe/perl-unix-users
