hi, there is a really stupid bug in w3-msql cgi-bin developped by Hughes Technology: http://www.Hughes.com.au This bug is a bit old but seams to be always actual in the last release of this software: mini-sql v 2.0.10.1 It's very simple to exploit the flaw; An intruder is able to look at everything on a remote web server even if the directory is ".htaccess protected". (eg apache) the first way to do it: http://www.victim.org/cgi-bin/w3-msql/protected-directory/pr ivate-file note: in this case, the intruder 'll have to already know th structure of the directory the second way: http://www.victim.org/cgi-bin/w3-msql/protected-directory/.h tpasswd in this way, intruder 'll get all DES encrypted password for authorized users in plain text and so will be able to crack any account (eg Crack 5.0 alex muphett) Solution: First: there is no private directory in your site, ok...in this case, u don't matter with this bug Otherwise, don't put your .htpasswd files under apache root (change your link in .htaccess) and contact quickly Hughes Technology. have a nice day Gregory Duchemin (security engineer) Neurocom 179-181 Av Charles De Gaulle 92200 Neuilly Sur Seine
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:56:47 PDT