Re: Doubledot bug in FrontPage FrontPage Personal Web Server.

From: GALES,SIMON (Non-A-ColSprings,ex1) (george_galesat_private)
Date: Fri Feb 18 2000 - 13:46:47 PST

Next message: Richard Fromm: "ebay sends passwords in the clear"

Previous message: Bennett Todd: "DDoS whitepaper"
Maybe in reply to: Jan van de Rijt: "Doubledot bug in FrontPage FrontPage Personal Web Server."
Next in thread: Jeff Dafoe: "Re: Doubledot bug in FrontPage FrontPage Personal Web Server."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01BF7A59.A7FBC9BC
Content-Type: text/plain;
	charset="iso-8859-1"

I've attempted to reproduce this on:
    Windows NT 4.0 Workstation SP5
    Windows NT 4.0 Workstation SP3
    Windows NT 4.0 Workstation SP1
with no joy.

I'm running FP98, which installed PWS 3.0.2.926.

Does this only occur on Win9x?  Has anyone been able to reproduce this?
Jan, which OS/SP were you running?

I vaguely remember some discussion (in BugTraq or NTBugTraq maybe?) about
using "..." and/or "...." from the command prompt, and this is probably tied
to that problem.

G. Simon Gales
george_galesat_private <mailto:george_galesat_private>

-----Original Message-----
From: Jan van de Rijt [mailto:rijtat_private]
Sent: Tuesday, February 15, 2000 6:16 PM
To: BUGTRAQat_private
Subject: Doubledot bug in FrontPage FrontPage Personal Web Server.


Description: Doubledot bug in FrontPage FrontPage Personal Web Server.
Compromise: Accessing drive trough browser.
Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not tested.
Details:
When FrontPage-PWS runs a site on your c:\ drive your drive could be
accessed by any user accessing your page, simply by requesting any file in
any directory except the files in the FrontPage dir. specially /_vti_pvt/.

How to exploit this bug?
Simply adding /..../ in the URL addressbar.

http://www.target.com/..../ <http://www.target.com/..../<>
<any_dir>/<any_file>

so by requesting http://www.target.com/..../Windows/Admin.pwl
<http://www.target.com/..../Windows/Admin.pwl>  the webserver let us
download the .pwl file from the target.

Files and dirs. with the hidden attribute set are vulnerable.

Solution:
The best solution is installing FrontPage on a drive that doesn't contain
Private information.

Greetings,

Jan van de Rijt aka The Warlock.

------_=_NextPart_001_01BF7A59.A7FBC9BC
Content-Type: text/html;
	charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">


<META content="MSHTML 5.00.3013.2600" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000>I've attempted to reproduce this
on:</SPAN></FONT></DIV>
<DIV><SPAN class=187553721-18022000>
<DIV><SPAN class=187553721-18022000><FONT color=#0000ff face="Courier New"
size=2>&nbsp;&nbsp;&nbsp; Windows NT 4.0 Workstation SP5</FONT>
<DIV><FONT size=2><FONT color=#0000ff><FONT face="Courier New"><SPAN
class=187553721-18022000>&nbsp;&nbsp;&nbsp; Windows NT 4.0 Workstation SP<SPAN
class=187553721-18022000>3</SPAN></SPAN></FONT></FONT></FONT></DIV>
<DIV><SPAN class=187553721-18022000><FONT color=#0000ff face="Courier New"
size=2><SPAN class=187553721-18022000>&nbsp;&nbsp;&nbsp; Windows NT 4.0
Workstation SP1</SPAN></FONT></SPAN></DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000>with no joy.&nbsp; </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000>I'm running FP98, which installed PWS
3.0.2.926.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000>Does this only occur on Win9x?&nbsp;
</SPAN></FONT><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000>Has anyone been able to reproduce this?&nbsp; Jan,
which OS/SP were you running?</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000>I vaguely remember some discussion (in BugTraq or
NTBugTraq maybe?) about using "..." and/or "...." from the command prompt, and
this is probably tied to that problem.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000>G. Simon Gales</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000><A
href="mailto:george_galesat_private">george_galesat_private</A></SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000></SPAN></FONT>&nbsp;</DIV></SPAN></DIV></SPAN></DIV>
<DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Jan van de Rijt
[mailto:rijtat_private]<BR><B>Sent:</B> Tuesday, February 15, 2000 6:16
PM<BR><B>To:</B> BUGTRAQat_private<BR><B>Subject:</B> Doubledot bug in
FrontPage FrontPage Personal Web Server.<BR><BR></FONT></DIV>
<DIV><FONT face=Arial size=2>Description: Doubledot bug in FrontPage FrontPage
Personal Web Server.<BR>Compromise: Accessing drive trough
browser.<BR>Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not
tested.<BR>Details:<BR>When FrontPage-PWS runs a site on your c:\ drive your
drive could be accessed by any user accessing your page, simply by requesting
any file in any directory except the files in the FrontPage dir. specially
/_vti_pvt/.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>How to exploit this bug?<BR>Simply adding /..../ in
the URL addressbar.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><A
href="http://www.target.com/..../<">http://www.target.com/..../<>any_dir&gt;/&lt;any_file&gt;</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>so by requesting <A
href="http://www.target.com/..../Windows/Admin.pwl">http://www.target.com/..../Windows/Admin.pwl>&nbsp;the
webserver let us download the .pwl file from the target.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Files and dirs. with the hidden attribute set are
vulnerable.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Solution:<BR>The best solution is installing
FrontPage on a drive that doesn't contain Private information.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Greetings,</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Jan van de Rijt aka The
Warlock.</FONT></DIV></BODY></HTML>

------_=_NextPart_001_01BF7A59.A7FBC9BC--

Next message: Richard Fromm: "ebay sends passwords in the clear"
Previous message: Bennett Todd: "DDoS whitepaper"
Maybe in reply to: Jan van de Rijt: "Doubledot bug in FrontPage FrontPage Personal Web Server."
Next in thread: Jeff Dafoe: "Re: Doubledot bug in FrontPage FrontPage Personal Web Server."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:00 PDT