[13358] in bugtraq
Re: WebSitePro/2.3.18 is revealing Webdirectories
daemon@ATHENA.MIT.EDU (Lark Lizerman)
Fri Jan 14 23:45:11 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <022701bf5e62$b245fb80$beffcd98@u1u7p1>
Date: Thu, 13 Jan 2000 23:40:55 -0800
Reply-To: Lark Lizerman <webmaster@DOC2000.DE>
From: Lark Lizerman <webmaster@DOC2000.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In case of an installed extension you have to call "GET /HTTP1.0 \", what
bypasses it.
My second posting according this describes how to bypass on the new version.
This bug should be cared as serious as the IIS bug because on NT platform
WebSitePro is _the_ optional Webserver to MS IIS
greets
Lark Lizerman
lizerman@doc2000.de
> Every version of website (1.x, 2.x) I've ever seen behaves like this in
> standard configuration. However you can avoid the revealing of
webdirectories
> by installing either one of two freely available WSAPI extensions which
then
> send out custom 404, 403 and 401 messages.
>
> For more information see
>
> http://software.oreilly.com/techsupport/kb/
> website_kb_article_display_frame.cfm?ID_KBArticle=102
> (url is wrapped!)
>
> btw: there is a similar tool for coldfusion called infusion but I can't
find
> the URL right now.
>
> Hope this helps,
> Christoph Schneeberger
> cschnee \at\ telemedia.ch
>
>
>
> ____________________________________________________________________
> Get your own FREE, personal Netscape WebMail account today at
http://webmail.netscape.com.
