Re: List Site Pro, an intresting number of site "hacks"

From: Michel Arboi (arboiat_private)
Date: Mon Jul 09 2001 - 23:14:18 PDT

Next message: Charles Stevenson: "Re: Tripwire temporary files"

Previous message: Charles Stevenson: "Re: Tripwire temporary files"
In reply to: Siberian: "List Site Pro, an intresting number of site "hacks""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 --- Siberian <siberian@sentry-labs.com> a écrit : 
> the file modified was lspro_list_header.txt I think, which
> permissions were set to 666. Are they using a simple put to
> modify? Is put supported by any webserver by default?

Yes it is, by IIS (is this really a surprise? :)
If your permissions are wrong, it will accept "anonymous" PUT, without
a password.
As far as I know, there is no simple way to disable the PUT or DELETE
method in IIS. In Apache, they are disabled by default and you have to
uncomment a couple of lines scattered in the configuration file if you
really want to shoot you in the foot.

> Here is the vendor URL:
> http://www.listsitepro.com/

What am I supposed to find here?


___________________________________________________________
Do You Yahoo!? -- Pour faire vos courses sur le Net, 
Yahoo! Shopping : http://fr.shopping.yahoo.com

Next message: Charles Stevenson: "Re: Tripwire temporary files"
Previous message: Charles Stevenson: "Re: Tripwire temporary files"
In reply to: Siberian: "List Site Pro, an intresting number of site "hacks""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 08:16:32 PDT