COMMAND

    MS Personal Web Server

SYSTEMS AFFECTED

    Win95, NT(?)

PROBLEM

    Lynn Kyle posted following.  The MS Personal Web Server (tried  on
    the win95, not NT) suffers from  the old IIS 3.0 unpatched bug  of
    allowing you to download asp files by using a trailing ".".  e.g.,

        telnet victim 80
        GET /default.asp. HTTP/1.0

    will give you the contents of  the asp not the result.   Ooops for
    any of you embedding a db login/pass in the asp.

SOLUTION

    There is  no information  with what  version of  MS PWS  does this
    apply to and is if it does is NT vulnerable.  There is no official
    response at this time.