This is a multi-part message in MIME format. ------=_NextPart_000_000F_01BE82C9.5E989D50 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I reported a while back on Webcom's (www.webcom.se) CGI Guestbook = (wguest.exe and rguest.exe) having a number of security problems where = any text based file on an NT machine could be read from the file system = provided the attacker knew the path to the file and the Anonymous = Internet Account (IUSR_MACHINENAME on IIS) has the NTFS read right to = the file in question. On machines such as Windows 95/98 without local = file security every file is readable. wguest.exe is used to write to the = Guestbook and rguest.exe is used to read from the Guestbook Their latest version has made this simpler: A request for = http://server/cgi-bin/wguest.exe?template=3Dc:\boot.ini will return the = remote Web server's boot.ini and = http://server/cgi-bin/rguest.exe?template=3Dc:\winnt\system32\$winnt$.inf= will return the $winnt$.inf file. Why the developers at Webcom have not resolved this issue in their = latest version is bordering the criminal. I received no response to my = mail to them about this. Anybody using this Guestbook should remove it = as soon as possible and obtain another CGI Guestbook if you really need = one. Cheers, David Litchfield http://www.arca.com http://www.infowar.co.uk/mnemonix/ ------=_NextPart_000_000F_01BE82C9.5E989D50 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Diso-8859-1 = http-equiv=3DContent-Type> <META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT color=3D#000000 size=3D2>I reported a while back on Webcom's = (<A=20 href=3D"http://www.webcom.se">www.webcom.se</A>) CGI Guestbook = (wguest.exe and=20 rguest.exe) having a number of security problems where any text based = file on an=20 NT machine could be read from the file system provided the attacker knew = the=20 path to the file and the Anonymous Internet Account (IUSR_MACHINENAME on = IIS)=20 has the NTFS read right to the file in question. On machines such as = Windows=20 95/98 without local file security every file is readable. wguest.exe is = used to=20 write to the Guestbook and rguest.exe is used to read from the=20 Guestbook</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2>Their latest version has made this = simpler: A=20 request for <A=20 href=3D"http://server/cgi-bin/wguest.exe?template=3Dc:\boot.ini">http://s= erver/cgi-bin/wguest.exe?template=3Dc:\boot.ini</A>=20 will return the remote Web server's boot.ini and <A=20 href=3D"http://server/cgi-bin/rguest.exe?template=3Dc:\winnt\system32\$wi= nnt$.inf">http://server/cgi-bin/rguest.exe?template=3Dc:\winnt\system32\$= winnt$.inf</A>=20 will return the $winnt$.inf file.</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2>Why the developers at Webcom have = not resolved=20 this issue in their latest version is bordering the criminal. I received = no=20 response to my mail to them about this. Anybody using this Guestbook = should=20 remove it as soon as possible and obtain another CGI Guestbook if you = really=20 need one.</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV> <DIV><FONT size=3D2>Cheers,</FONT></DIV> <DIV><FONT size=3D2>David Litchfield</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2><A=20 href=3D"http://www.arca.com">http://www.arca.com></FONT></DIV> <DIV><FONT size=3D2><A=20 href=3D"http://www.infowar.co.uk/mnemonix/">http://www.infowar.co.uk/mnem= onix/</A></FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV></BODY></HTML> ------=_NextPart_000_000F_01BE82C9.5E989D50--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:52 PDT