This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BF7A59.A7FBC9BC Content-Type: text/plain; charset="iso-8859-1" I've attempted to reproduce this on: Windows NT 4.0 Workstation SP5 Windows NT 4.0 Workstation SP3 Windows NT 4.0 Workstation SP1 with no joy. I'm running FP98, which installed PWS 3.0.2.926. Does this only occur on Win9x? Has anyone been able to reproduce this? Jan, which OS/SP were you running? I vaguely remember some discussion (in BugTraq or NTBugTraq maybe?) about using "..." and/or "...." from the command prompt, and this is probably tied to that problem. G. Simon Gales george_galesat_private <mailto:george_galesat_private> -----Original Message----- From: Jan van de Rijt [mailto:rijtat_private] Sent: Tuesday, February 15, 2000 6:16 PM To: BUGTRAQat_private Subject: Doubledot bug in FrontPage FrontPage Personal Web Server. Description: Doubledot bug in FrontPage FrontPage Personal Web Server. Compromise: Accessing drive trough browser. Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not tested. Details: When FrontPage-PWS runs a site on your c:\ drive your drive could be accessed by any user accessing your page, simply by requesting any file in any directory except the files in the FrontPage dir. specially /_vti_pvt/. How to exploit this bug? Simply adding /..../ in the URL addressbar. http://www.target.com/..../ <http://www.target.com/..../<> <any_dir>/<any_file> so by requesting http://www.target.com/..../Windows/Admin.pwl <http://www.target.com/..../Windows/Admin.pwl> the webserver let us download the .pwl file from the target. Files and dirs. with the hidden attribute set are vulnerable. Solution: The best solution is installing FrontPage on a drive that doesn't contain Private information. Greetings, Jan van de Rijt aka The Warlock. ------_=_NextPart_001_01BF7A59.A7FBC9BC Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 5.00.3013.2600" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT color=#0000ff face="Courier New" size=2><SPAN class=187553721-18022000>I've attempted to reproduce this on:</SPAN></FONT></DIV> <DIV><SPAN class=187553721-18022000> <DIV><SPAN class=187553721-18022000><FONT color=#0000ff face="Courier New" size=2> Windows NT 4.0 Workstation SP5</FONT> <DIV><FONT size=2><FONT color=#0000ff><FONT face="Courier New"><SPAN class=187553721-18022000> Windows NT 4.0 Workstation SP<SPAN class=187553721-18022000>3</SPAN></SPAN></FONT></FONT></FONT></DIV> <DIV><SPAN class=187553721-18022000><FONT color=#0000ff face="Courier New" size=2><SPAN class=187553721-18022000> Windows NT 4.0 Workstation SP1</SPAN></FONT></SPAN></DIV> <DIV><FONT color=#0000ff face="Courier New" size=2><SPAN class=187553721-18022000>with no joy. </SPAN></FONT></DIV> <DIV><FONT color=#0000ff face="Courier New" size=2><SPAN class=187553721-18022000></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face="Courier New" size=2><SPAN class=187553721-18022000>I'm running FP98, which installed PWS 3.0.2.926.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face="Courier New" size=2><SPAN class=187553721-18022000></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face="Courier New" size=2><SPAN class=187553721-18022000>Does this only occur on Win9x? </SPAN></FONT><FONT color=#0000ff face="Courier New" size=2><SPAN class=187553721-18022000>Has anyone been able to reproduce this? Jan, which OS/SP were you running?</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face="Courier New" size=2><SPAN class=187553721-18022000></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face="Courier New" size=2><SPAN class=187553721-18022000>I vaguely remember some discussion (in BugTraq or NTBugTraq maybe?) about using "..." and/or "...." from the command prompt, and this is probably tied to that problem.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face="Courier New" size=2><SPAN class=187553721-18022000></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face="Courier New" size=2><SPAN class=187553721-18022000>G. Simon Gales</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face="Courier New" size=2><SPAN class=187553721-18022000><A href="mailto:george_galesat_private">george_galesat_private</A></SPAN></FONT></DIV> <DIV><FONT color=#0000ff face="Courier New" size=2><SPAN class=187553721-18022000></SPAN></FONT> </DIV></SPAN></DIV></SPAN></DIV> <DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Jan van de Rijt [mailto:rijtat_private]<BR><B>Sent:</B> Tuesday, February 15, 2000 6:16 PM<BR><B>To:</B> BUGTRAQat_private<BR><B>Subject:</B> Doubledot bug in FrontPage FrontPage Personal Web Server.<BR><BR></FONT></DIV> <DIV><FONT face=Arial size=2>Description: Doubledot bug in FrontPage FrontPage Personal Web Server.<BR>Compromise: Accessing drive trough browser.<BR>Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not tested.<BR>Details:<BR>When FrontPage-PWS runs a site on your c:\ drive your drive could be accessed by any user accessing your page, simply by requesting any file in any directory except the files in the FrontPage dir. specially /_vti_pvt/.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>How to exploit this bug?<BR>Simply adding /..../ in the URL addressbar.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2><A href="http://www.target.com/..../<">http://www.target.com/..../<>any_dir>/<any_file></FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>so by requesting <A href="http://www.target.com/..../Windows/Admin.pwl">http://www.target.com/..../Windows/Admin.pwl> the webserver let us download the .pwl file from the target.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Files and dirs. with the hidden attribute set are vulnerable.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Solution:<BR>The best solution is installing FrontPage on a drive that doesn't contain Private information.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Greetings,</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Jan van de Rijt aka The Warlock.</FONT></DIV></BODY></HTML> ------_=_NextPart_001_01BF7A59.A7FBC9BC--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:00 PDT