On Thursday 24 January 2002 17:06, Bob Tanner wrote:

> Vulnerability found on port www (80/tcp)
>
> The 'windmail.exe' cgi is installed.
>
>
> Yet, doing a find for "*windmail*" on all drive comes up blank.
>
> So, is this a false positive? hidden file? something inside IIS?

Not being familiar with what windmail is I did the obligitory Google search. 
It found a BugTraq document from March 2000 that talked about NOT putting 
windmail.exe in the cgi-bin directory but providing access to it in its 
"normal" location to CGIs. I wonder if MS in their goal to make IIS stand for 
the "Idiot's Internet Server" added a helper script to access windmail 
without any additional muss or fuss. Might want to check the IIS 
configuration console for what programs are defined as available to run (or 
something like that.) The configuration might just know that windmail.exe is 
"allowed" to run and that might be setting off the alarm without the concern 
for windmail being loaded.

A shot in the inky black darkness...

-- 
Jack Ungerleider
jack at jacku.com