[10153] in bugtraq
Webcom's CGI Guestbook for Win32 web servers
daemon@ATHENA.MIT.EDU (Mnemonix)
Fri Apr 9 16:37:47 1999
Date: Fri, 9 Apr 1999 20:41:39 +0100
Reply-To: Mnemonix <mnemonix@GLOBALNET.CO.UK>
From: Mnemonix <mnemonix@GLOBALNET.CO.UK>
X-To: ntbugtraq@listserv.ntbugtraq.com
To: BUGTRAQ@NETSPACE.ORG
This is a multi-part message in MIME format.
------=_NextPart_000_000F_01BE82C9.5E989D50
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I reported a while back on Webcom's (www.webcom.se) CGI Guestbook =
(wguest.exe and rguest.exe) having a number of security problems where =
any text based file on an NT machine could be read from the file system =
provided the attacker knew the path to the file and the Anonymous =
Internet Account (IUSR_MACHINENAME on IIS) has the NTFS read right to =
the file in question. On machines such as Windows 95/98 without local =
file security every file is readable. wguest.exe is used to write to the =
Guestbook and rguest.exe is used to read from the Guestbook
Their latest version has made this simpler: A request for =
http://server/cgi-bin/wguest.exe?template=3Dc:\boot.ini will return the =
remote Web server's boot.ini and =
http://server/cgi-bin/rguest.exe?template=3Dc:\winnt\system32\$winnt$.inf=
will return the $winnt$.inf file.
Why the developers at Webcom have not resolved this issue in their =
latest version is bordering the criminal. I received no response to my =
mail to them about this. Anybody using this Guestbook should remove it =
as soon as possible and obtain another CGI Guestbook if you really need =
one.
Cheers,
David Litchfield
http://www.arca.com
http://www.infowar.co.uk/mnemonix/
------=_NextPart_000_000F_01BE82C9.5E989D50
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT color=3D#000000 size=3D2>I reported a while back on Webcom's =
(<A=20
href=3D"http://www.webcom.se">www.webcom.se</A>) CGI Guestbook =
(wguest.exe and=20
rguest.exe) having a number of security problems where any text based =
file on an=20
NT machine could be read from the file system provided the attacker knew =
the=20
path to the file and the Anonymous Internet Account (IUSR_MACHINENAME on =
IIS)=20
has the NTFS read right to the file in question. On machines such as =
Windows=20
95/98 without local file security every file is readable. wguest.exe is =
used to=20
write to the Guestbook and rguest.exe is used to read from the=20
Guestbook</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2>Their latest version has made this =
simpler: A=20
request for <A=20
href=3D"http://server/cgi-bin/wguest.exe?template=3Dc:\boot.ini">http://s=
erver/cgi-bin/wguest.exe?template=3Dc:\boot.ini</A>=20
will return the remote Web server's boot.ini and <A=20
href=3D"http://server/cgi-bin/rguest.exe?template=3Dc:\winnt\system32\$wi=
nnt$.inf">http://server/cgi-bin/rguest.exe?template=3Dc:\winnt\system32\$=
winnt$.inf</A>=20
will return the $winnt$.inf file.</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2>Why the developers at Webcom have =
not resolved=20
this issue in their latest version is bordering the criminal. I received =
no=20
response to my mail to them about this. Anybody using this Guestbook =
should=20
remove it as soon as possible and obtain another CGI Guestbook if you =
really=20
need one.</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>Cheers,</FONT></DIV>
<DIV><FONT size=3D2>David Litchfield</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2><A=20
href=3D"http://www.arca.com">http://www.arca.com</A></FONT></DIV>
<DIV><FONT size=3D2><A=20
href=3D"http://www.infowar.co.uk/mnemonix/">http://www.infowar.co.uk/mnem=
onix/</A></FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV></BODY></HTML>
------=_NextPart_000_000F_01BE82C9.5E989D50--
