MICROSOFT WEBSERVERS LAID OPEN FOR ALL TO SEE by Dave Murphy, member@itrain.org
Microsoft is scrambling to repair damage caused by a security hole in its IIS 4 & 5 webserver that runs on Windows NT/2000. Microsoft claims over four million IIS websites, and each one of them is at risk of releasing sensitive data through the security hole. Called the "Web Server Folder Traversal" error, the flaw allows users to execute files on an IIS website by requesting a specific web address.
http://www.zope.org/standard_html_header for example ;-) http://www.zope.org/objectIds as another...
The bug allows access to any file on the webserver via a specified URL. Like all webservers, IIS is supposed to prevent access to files that aren't intended to be part of the website.
Maybe Zope should too....
This article is posted to http://itrain.org/itinfo/2000/it001017.html
Live well, do good,
--Dave Murphy
cheers, Chris