Hi Kingcope, Thanks to a hint by "Petar" on the G-SEC blog [1] it appears that the very same bug was present in IIS3 and IIS4 and discovered by eeye in 1999 : http://research.eeye.com/html/advisories/published/AD19990124.html "Microsoft IIS (Internet Information Server) FTP service contains a buffer overflow in the NLST command. This could be used to DoS a remote machine and in some cases execute code remotely." Is this the same bug andwas the bug re-introduced ? Has Microsoft fixed LS but not NLST? "svn" mishap ? Maybe Mudge and/or Dildog can comment - would certainly be interesting to know whether and if HOW this bug was reintroduced. [1] http://blog.g-sec.lu/2009/09/iis-5-iis-6-ftp-vulnerability.html Regards, Thierry ZOLLER -- http://blog.zoller.lu
