Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ms-personal-webserver-path.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 36 Views

Microsoft Personal Web Server allows directory listing and file download vulnerabilities discovered.

Code
`Personal web server  
  
kiborg ([email protected])  
Wed, 17 Jan 1996 22:30:13 +0200   
  
  
Hello,  
  
Sorry if this has already been known. But i didn't find something of the  
sort.  
While playing with Microsoft Personal Web Server  
(Frontpage-PWS32/3.0.2.926).  
I found that the following URL will list the root directory and be able to  
download any file you want.  
http://www.victim.com/....../  
  
Index of /....../  
  
WINDOWS  
My Documents  
Program Files  
FrontPage Webs  
AUTOEXEC.BAT  
COMMAND.COM  
  
and so on.......  
  
-----  
[email protected] Tavo laiskai, Lietaus lasai,  
http://www.kiborg.net Papasakos man tiek daug pa pa-rara !  
  
---------------------------------------------------------------------------  
  
Re: Personal web server  
  
Sean Coates ([email protected])  
Mon, 18 Jan 1999 14:12:32 -0400   
  
  
kiborg wrote:  
  
> Hello,  
>  
> Sorry if this has already been known. But i didn't find something of the  
> sort.  
> While playing with Microsoft Personal Web Server  
> (Frontpage-PWS32/3.0.2.926).  
> I found that the following URL will list the root directory and be able to  
> download any file you want.  
> http://www.victim.com/....../  
>  
  
That seems to be fixed in the windows98 version of PWS  
  
(http://24.231.6.49/....../ returns server error 161)  
  
Sean Coates  
[email protected]  
[email protected]  
  
---------------------------------------------------------------------------  
  
Date: Tue, 19 Jan 1999 10:21:24 -0800  
From: Aleph One <[email protected]>  
To: [email protected]  
Subject: Re: Personal web server  
  
Here are some feedback from people. Results vary wildly.  
  
No:  
  
Windows NT 4.0 SP3 ("kiborg" <[email protected]>)  
Windows NT 4.0 SP4 (Russ)  
Windows NT 4.0 SP4 PWS 4.02.0622  
Windows 2000 beta 2 ("John Sweeney" <[email protected]>)  
Windows 98 (Sean Coates [email protected])  
  
Yes:  
  
Windows 95 ("kiborg" <[email protected]>)  
Windows 98 ("kiborg" <[email protected]>)  
Windows 98 + fixes & patches ("David Schwartz" <[email protected]>)  
  
Someone mentioned this may be the fault of FrontPage. It asks you to install PWS  
when you install FP. It may be possible that FP is configuring PWS in such a way  
to leave it open.  
  
--  
Aleph One / [email protected]  
http://underground.org/  
KeyID 1024/948FD6B5  
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01  
  
---------------------------------------------------------------------------  
  
Date: Thu, 18 Jan 1996 23:44:37 +0200  
From: kiborg <[email protected]>  
To: [email protected]  
Subject: Re: Personal web server  
  
  
>An attempt to do this on a Windows NT 4.0 WS (with SP4) failed with a  
>404 error as expected.  
Yes on NT 4.0(SP3) i get the same.  
  
404 Not Found  
The requested URL /....../ was not found on this server.  
  
>Maybe Kiborg can tell us on what platform this was successfully  
>performed on together with what, if any, security was configured on said  
>box.  
I did check on :  
Win95 worked.  
Win98 worked.  
and on NT 4.0 (SP3) failed with 404 error.  
  
>  
>Obviously /....../ shouldn't match to any directory by any convention  
>I'm aware of, so its clearly some sort of problem. To determine,  
>however, the extent of the risks for Win9x users of PWS we should know  
>how the site was being secured, configured, and accessed.  
  
Well i discovered what http://127.0.0.1/..../ or http://127.0.0.1/........./  
(must be more than 3 dots /..../) will show the root directory.  
  
  
-----  
[email protected] Tavo laiskai, lietaus lasai  
http://www.kiborg.net papasakos man tiek daug pa pa-rara !  
  
---------------------------------------------------------------------------  
  
Date: Tue, 19 Jan 1999 13:51:48 -0800  
From: Michael Howard <[email protected]>  
To: [email protected]  
Subject: Re: Personal web server  
  
the frontpage team are looking at it now - as sean noted, the iis codebase  
in pws does not have this issue. i'll fwd more info to this alias as soon as  
i get more info from the fp team.  
  
Cheers, MH  
IIS Security  
  
---------------------------------------------------------------------------  
  
Date: Tue, 19 Jan 1999 15:13:51 MST  
From: Fredrick Moore <[email protected]>  
To: [email protected]  
Subject: Re: Personal Web Server  
  
>From: Ilya Varlashkin <[email protected]>  
>GET /....../  
><HEAD><TITLE>404 Not Found</TITLE></HEAD>  
><BODY><H1>404 Not Found</H1>  
>The requested URL /....../ was not found on this server.<P>  
></BODY>  
>Connection closed by foreign host.  
  
Kiborg <[email protected]> was rite, it works. My testings.  
Server: FrontPage-PWS32/3.0.2.926  
OS: Win95  
  
During installation process i installed only PWS without any other  
  
components. Let's test  
http://127.0.0.1/....../  
  
Index of /....../  
(worked)  
  
I removed PWS, and installed Typical setup (including: FrontPage client  
software, personal web server, FrontPage extensions)  
Let's test.  
http://127.0.0.1/....../  
  
404 Not Found  
The requested URL /....../ was not found on this server.  
(failed)  
  
Ok let's run command.com  
C:\windows\other\dirs\>cd \......\  
C:\>  
Maybe this is the problem?  
Does this work with Win98??  
  
>So it seems something is wrong with your PWS settings  
Maybe, but i installed freshly without changing anything. Anyway i  
think microsoft must check this out.  
  
---------------------------------------------------------------------------  
  
Date: Tue, 19 Jan 1999 18:37:55 -0400  
From: Sean Coates <[email protected]>  
To: [email protected]  
Subject: Re: Personal web server  
  
Michael Howard wrote:  
  
> the frontpage team are looking at it now - as sean noted, the iis codebase  
> in pws does not have this issue. i'll fwd more info to this alias as soon as  
> i get more info from the fp team.  
>  
> Cheers, MH  
> IIS Security  
>  
  
It seems that servers which are branded "IIS" _DO_ have the problem, and  
servers branded with "PWS" do NOT have the problem. For instance, the server at  
24.231.6.49 returns a server version of "Microsoft-PWS-95/2.0" yet the server at  
24.231.6.205 returns "Microsoft-IIS/4.0" and the server at  
24.231.6.2(www.ebci.ca) returns "Microsoft-IIS/4.0 Beta 3".  
  
the *.49 server is not vulnerable, and neither is the *.2 server, but the *.205  
server IS vulnerable (I told the admin of this machine about the problem, so it  
may be fixed by the time this reaches bugtraq.)  
  
By talking to the admin of each server, I've concluded that the *.49 server is a  
downloaded version of PWS, running on windows98, the *.205 server is PWS from  
the windows98 CD (OEM, as far as I know), running on Win98, and the *.2 server  
is actually IIS, running on Windows NT Server 4.  
  
Sorry about the confusion of my earlier post, hope this clears it up.  
My luck, it'll probably just make it worse. (-;  
  
Sean Coates  
[email protected]  
[email protected]  
  
---------------------------------------------------------------------------  
  
Date: Wed, 20 Jan 1999 11:57:19 +0300  
From: Victor Lavrenko <[email protected]>  
To: [email protected]  
Subject: Bug in IIS and PWS but only for Windows 9x. Re: Personal web server  
  
>>>>> "Aleph" == Aleph One <[email protected]> writes:  
  
Hello everybody.  
  
This bug exists because Windows 9x has a nice feature. When you  
excecute "cd .." it goes to the parent directory, and "cd ..." goes to  
the parent directory of parent directory etc. Windows NT has no such  
feature so it isn't exploitable.  
  
IIS 4.0 and PWS 3.0 exploitable while executed under Windows 9x only,  
not Windows NT.  
  
Aleph> No:  
  
Aleph> Windows NT 4.0 SP3 ("kiborg" <[email protected]>) Windows  
[skip]  
Aleph> Windows 98 (Sean Coates [email protected])  
  
Sean checked box with PWS 2.0. Due to another bug in its core, it  
seems that is not exploitable. PWS 3.0 doesn't have such bug so it is  
exploitable.  
  
Aleph> Yes:  
  
Aleph> Windows 95 ("kiborg" <[email protected]>) Windows 98  
[skip]  
Aleph> it open.  
  
PWS and IIS (they have the same core) check for ".." in URL, but don't  
check for "...", "...." etc.  
  
Summary:  
  
1. IIS 4.0 and PWS 3.0 exploitable under Windows 9x.  
2. IIS (any version) and PWS (any version) not exploitable under  
Windows NT.  
3. PWS 2.0 and (possibly) IIS 3.0 not exploitable under Windows 9x.  
  
--  
Victor Lavrenko  
Homepage: http://www.lavrenko.pp.ru/  
E-mail: [email protected] [email protected]  
Fingerprint: 35 D0 98 8D 96 E5 F4 BA 59 FB 9D 29 92 26 F5 59  
  
---------------------------------------------------------------------------  
  
Date: Wed, 20 Jan 1999 16:59:48 -0800  
From: Aleph One <[email protected]>  
To: [email protected]  
Subject: Re: Personal web server  
  
Here is a summary of the problem so far. Windows 95/98 treat "...." as  
"..\.." and "......" as "..\..\..". Personal Web Server does not check  
for these "aliases" and allows the request. This can be used to  
access files and directories above the virtual web root. Disabling  
directory browsing only does what it says, disables directory browsing.  
If an attcker can guess a path and name of a file, and it is in the same  
drive as the web server, he can retrieve the file.  
  
The problem only affects FrontPage Personal Web Server. This is the  
version shipped with FrontPage. The version not affected is the  
Microsoft Personal Web Server.  
  
I tought we've seen the last of these Windows file aliases vulnerabilities.  
Guess I was wrong. Incredible the amount of cruft the Windows file name  
parser will take. Wonder what other wonderful aliases are waiting to be  
discovered.  
  
--  
Aleph One / [email protected]  
http://underground.org/  
KeyID 1024/948FD6B5  
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01  
  
---------------------------------------------------------------------------  
  
Date: Thu, 21 Jan 1999 12:03:57 -0800  
From: Aleph One <[email protected]>  
To: [email protected]  
Subject: Re: Personal web server  
  
Thanks to Xiaoyong Wu <[email protected]> for pointing out more  
Windows weirdness.  
  
Under Windows NT 4.0 SP3:  
  
C:\> cd TEMP  
C:\TEMP> cd ...  
C:\TEMP> cd ....  
C:\TEMP> cd .....  
C:\TEMP>  
  
[ It seems NT interprets N+3 dots as '.' ]  
  
C:\TEMP> cd ..\  
C:\>  
  
[ It seems NT interprets '..\' as '..'. Makes sense as '\' is directory  
delimiter character for paths. ]  
  
C:\TEMP> cd ...\  
C:\>  
C:\> cd TEMP  
C:\TEMP> cd ...\WINNT  
C:\WINNT>  
  
[ Whoa. Now NT interprets '...\' as '..'. Bad. Real bad. ]  
  
C:\TEMP> mkdir TEST  
C:\TEMP> cd TEST  
C:\TEMP\TEST> cd ...\  
The system cannot find the path specified.  
  
[ Hmm. But it doesn't work in directories more that one deep. ]  
  
C:\TEMP> cd ..\...\  
C:\>  
  
[ That figures. ]  
  
C:\TEMP\TEST> cd ..\...  
C:\TEMP> cd ....\  
C:\TEMP>  
  
[ Hmm. Now NT interprets '....\' as '..'. Weird. But wait it gets stranger. ]  
  
C:\> cd TEMP  
C:\TEMP> cd ....\  
C:\TEMP> cd ....\  
C:\>  
  
[ Huh? The first '....\' as interpreted as '.' and the second as '..'.  
But... ]  
  
C:\> cd TEMP  
C:\TEMP> cd TEST  
C:\TEMP\TEST> cd ....\  
C:\TEMP\TEST> cd ....\  
The system cannot find the path specified.  
C:\TEMP\TEST> cd ..  
C:\TEMP\TEST> cd ..  
C:\TEMP>  
  
[ Now in a directory two levels deep the first '....\' is interpreted as '..'  
while the second one gives an error. The first '..' is interpreted as '.'  
while the second one works as normal. ]  
  
C:\TEMP> cd ....\  
C:\TEMP> cd TEST  
The system cannot find the path specified.  
C:\TEMP> cd .  
C:\TEMP> cd TEST  
C:\TEMP\TEST>  
  
[ It seems that '....\' also breaks trying to cd to subdirectories. ]  
  
The '....\' problems seems to appear for any such string with N+4 dots  
followed by a slash. I can only guess on the many other ways they  
may try to interpret pathnames.  
  
--  
Aleph One / [email protected]  
http://underground.org/  
KeyID 1024/948FD6B5  
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01  
  
---------------------------------------------------------------------------  
  
Date: Fri, 22 Jan 1999 18:46:53 -0000  
From: Ian O'Friel <[email protected]>  
To: [email protected]  
Subject: Re: Personal Web Server  
  
I'm not sure if this point has been raised before now, but with the recent  
issues containing about /....../ and so on, Shares are accessible via  
personal Web Server.  
  
For Example, I tried sharing my WinZip Directory as 'Test' and strangely  
enough http://127.0.0.1/Test/ brought up the WinZip Directory.  
  
Does anyone know of problems caused by this ?  
  
Ian O'Friel  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
personal web serverdirectory listingfile downloadmicrosoft vulnerabilitieswindows versions
36