| VID |
22119 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
It is possible to read any file on the remote system by prepending several dots before the file name. This vulnerability exists in the old versions of the Microsoft Personal Web Server (PWS) and FrontPage PWS. The attacker is required to have prior knowledge of file names to exploit this vulnerability, which does not yield any other privileges than read access.
Example :
GET ........../config.sys
* References:
http://www.iss.net/security_center/static/2036.php
http://www.microsoft.com/technet/security/bulletin/ms99-010.asp |
| Recommendation |
Affected users should obtain and install the Pwssecup.exe patch from Microsoft at: http://officeupdate.microsoft.com/Articles/PersWeb.htm |
| Related URL |
CVE-1999-0386,CVE-2000-0153 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
