|
|
Orchid XP v8 wrote:
> In other words, it stores more than email messages in a central
> database. Still conceptually the same deal, just with a few minor
> details on top.
No, not really. Shared stuff like calendars is not conceptually the same as
a central email store. What exchange does is inherently hard to get right
because (in part) of the administration/configuration problem and in part
because of the shared part.
A centralized email server isn't sharing anything between users, nor
updating things already in the database.
> Well, when somebody says that two identical things are not, in fact,
> identical, I ask what they think is different...
No. You say "Apache is notable for doing the same thing as IIS", not "What
does IIS do that Apache doesn't?"
>> How can you be IT support for a windows-based company and not
>> understand the terms "windows logins" and "remote administration"?
>
> I don't see what "windows logins" have to do with a generic web server,
> that's all.
Have you ever used an intranet application where you had to log in to the
web page? It means it uses the Active Directory kerberos password stuff to
let you log into web pages.
MS SQL server allows this too.
>>>>> (Aside from giving root access to anybody who types their URLs with
>>>>> backslashes instead of forward slashes...)
>>>>
>>>> Cite?
>>>
>>> I *think* this is the correct one:
>>>
>>>
https://services.netscreen.com/restricted/sigupdates/nsm-updates/HTML/HTTP:IIS:ASP-DOT-NET-BACKSLASH.html
>>
>>
>> And where does it say anything about root access there?
>
> It says that you can "bypass all security controls". How is that
> different from root access?
Where do you see it say "bypass all security controls"? I see it say "bypass
ASP.NET authentication capabilities". I see "bypass authentication required
to access files in secured directories."
What this bug is, in practice, is a way to go
"http://blah.com/yadda\..\..\hello.txt"
and get out of the DocumentRoot defined by the web server. For example, they
could use
"http://blah.com/yadda\..\..\cgi\script.php"
to see the source of your PHP CGI script.
Still not root access.
--
Darren New, San Diego CA, USA (PST)
"We'd like you to back-port all the changes in 2.0
back to version 1.0."
"We've done that already. We call it 2.0."
Post a reply to this message
|
|