Next message: Joshua J. Drake: "Re: ASP Security Hole (PHP Too)"
This is a multi-part message in MIME format.
------=_NextPart_000_0005_01BF7812.FB9D55C0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Description: Doubledot bug in FrontPage FrontPage Personal Web Server.
Compromise: Accessing drive trough browser.
Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not tested.
Details:
When FrontPage-PWS runs a site on your c:\ drive your drive could be =
accessed by any user accessing your page, simply by requesting any file =
in any directory except the files in the FrontPage dir. specially =
/_vti_pvt/.
How to exploit this bug?
Simply adding /..../ in the URL addressbar.
http://www.target.com/..../>/<any_file>
so by requesting http://www.target.com/..../Windows/Admin.pwl the =
webserver let us download the .pwl file from the target.
Files and dirs. with the hidden attribute set are vulnerable.
Solution:
The best solution is installing FrontPage on a drive that doesn't =
contain Private information.
Greetings,
Jan van de Rijt aka The Warlock.
------=_NextPart_000_0005_01BF7812.FB9D55C0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Description: Doubledot bug in FrontPage =
FrontPage=20
Personal Web Server.<BR>Compromise: Accessing drive trough=20
browser.<BR>Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions =
not=20
tested.<BR>Details:<BR>When FrontPage-PWS runs a site on your c:\ drive =
your=20
drive could be accessed by any user accessing your page, simply by =
requesting=20
any file in any directory except the files in the FrontPage dir. =
specially=20
/_vti_pvt/.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>How to exploit this bug?<BR>Simply =
adding /..../ in=20
the URL addressbar.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://www.target.com/..../<">http://www.target.com/..../<>=
any_dir>/<any_file></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>so by requesting <A=20
href=3D"http://www.target.com/..../Windows/Admin.pwl">http://www.target.c=
om/..../Windows/Admin.pwl</A> the=20
webserver let us download the .pwl file from the target.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Files and dirs. with the hidden =
attribute set are=20
vulnerable.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Solution:<BR>The best solution is =
installing=20
FrontPage on a drive that doesn't contain Private =
information.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Greetings,</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Jan van de Rijt aka The=20
Warlock.</FONT></DIV></BODY></HTML>
------=_NextPart_000_0005_01BF7812.FB9D55C0--
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 15:35:08 PDT