httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Greenlees" <ja...@shaw.ca>
Subject Re: [users@httpd] ASP with Vbscript support 2.0.43
Date Mon, 20 Jan 2003 09:24:40 GMT
Boyle Owen wrote:
>>-----Original Message-----
>>From: Pete Frasco [mailto:webmaster@frascoweb.com]
>>
>>I am using 2.0.43 on Win2k.  Is there a way to configure the system
>>to use ASP with VBSCRIPT with paying an arm and a leg.
>>
> 
> You *want* to pay an arm and a leg? Then you'll have no problem - try
> www.chilisoft.com
> 
> Rgds,
> 
> Owen Boyle
Owen,
I bet Pete want's to avoid paying the arm and leg. ;)
just didn't type the out on the end of with.


as far as I know, there isn't a reliable free option for vbscript.
but I could be wrong, since I really don't like a clientside script that 
can break out of it's sandbox and damage people's systems, which 
vbscript can do through it's access to ms' activex controls.

"
Microsoft File Transfer Manager ActiveX control buffer overflow allows 
arbitrary code

Risk
High

Date Discovered
08-19-2002

Description
The Microsoft File Transfer Manager (FTM) ActiveX control contains a 
buffer overflow vulnerability and allows arbitrary file upload and 
download. All FTM versions earlier than 4.0 are at risk.

The Microsoft File Transfer Manager ActiveX control is used to allow 
beta test customers and users in other Microsoft customer programs to 
download files from specific Microsoft sites.

The buffer overflow vulnerability, which exists in the Persist function, 
is exploited when input strings that are passed via script are parsed. 
This FTM ActiveX control can also add download or upload files to or 
from any folder on disk in its list of scheduled items without user 
approval. Exploitation could, potentially, enable an attacker to execute 
arbitrary code and gain control of the system. Because this ActiveX 
control is signed by Microsoft, the control can be installed without any 
warnings if a user has chosen to always trust content from Microsoft.

To find out if the File Transfer Manager Client is installed:

    1. From a command prompt, change to the %SystemRoot%\Downloaded 
Program Files\ directory.
    2. Type TransferMgr.exe and press Enter.

       If TransferMgr.exe does not exist, FTM is not installed.

To verify your FTM version:

     * From the control menu in the upper-left corner of the FTM Client 
window, click About.

Platforms Affected
Windows

Components Affected
Microsoft File Transfer Manager - All versions earlier than 4.0

Recommendations
"

from:
http://securityresponse.symantec.com/avcenter/security/Content/2307.html

there are also listed several javascript viruses that use vbscript to 
run activex controls.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message