Hi all, I tested this in the PWS (based on IIS 4) and it worked. I created a file called "clientlist2001.txt" and with client~1.txt (www.site.com/client~1.txt) I get the clientlist2001.txt without know the complete name of the file. The problem occurs also when I type "postin~1.htm" for access "postinfo.html" file. I think that it's simple but can open a range of new types of cgi attacks, depending of the web server. And can be used to change attack signatures and evade intrusion detection. PWS is vulnerable, IIS 4.0 and Sambar Server apparently no, but certainly other win32 web servers are vulnerable. All long filenames, directories and files with long extensions are vulnerable. This can be considered a simple data exposure? I think that yes. This access type can be dangerous, like some directory listening bugs or path disclosure. Sorry for my english, Regards, Felipe Moniz Network Security Specialist felipemonizat_private Especialista em Segurança de Redes Rio de Janeiro, RJ - Brasil Know about Brazil: http://www.hideaway.net/stealth/brasil.shtml
This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 16:22:48 PDT