Is there a fix or patch for this bug? I haven't been able to find any direct information on what versions aren't affected by this bug. I know a couple of people that run small websites using this thing (unfortunately). -Alexander Kiwerski At 10:10 PM 2/18/00 -0500, Jeff Dafoe wrote: >On Fri, 18 Feb 2000, GALES,SIMON (Non-A-ColSprings,ex1) wrote: > > I was able to reporduce this on a PWS installation under Win98 >second edition. > > >Jeff Dafoe >System Administrator >Evolution Communications, Inc. > > > > Does this only occur on Win9x? Has anyone been able to reproduce this? > > Jan, which OS/SP were you running? > > > > I vaguely remember some discussion (in BugTraq or NTBugTraq maybe?) about > > using "..." and/or "...." from the command prompt, and this is probably > tied > > to that problem. > > > > G. Simon Gales > > george_galesat_private <mailto:george_galesat_private> > > > > -----Original Message----- > > From: Jan van de Rijt [mailto:rijtat_private] > > Sent: Tuesday, February 15, 2000 6:16 PM > > To: BUGTRAQat_private > > Subject: Doubledot bug in FrontPage FrontPage Personal Web Server. > > > > > > Description: Doubledot bug in FrontPage FrontPage Personal Web Server. > > Compromise: Accessing drive trough browser. > > Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not tested. > > Details: > > When FrontPage-PWS runs a site on your c:\ drive your drive could be > > accessed by any user accessing your page, simply by requesting any file in > > any directory except the files in the FrontPage dir. specially /_vti_pvt/. > > > > How to exploit this bug? > > Simply adding /..../ in the URL addressbar. > > > > http://www.target.com/..../ <http://www.target.com/..../<>> > <any_dir>/<any_file> > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:37 PDT