[13929] in bugtraq
Re: Doubledot bug in FrontPage FrontPage Personal Web Server.
daemon@ATHENA.MIT.EDU (GALES,SIMON (Non-A-ColSprings,ex1))
Fri Feb 18 20:38:03 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01BF7A59.A7FBC9BC"
Message-Id: <0DB7B6E06277D311B797009027AA5B4A472AD1@axcs01.cs.itc.hp.com>
Date: Fri, 18 Feb 2000 14:46:47 -0700
Reply-To: "GALES,SIMON (Non-A-ColSprings,ex1)" <george_gales@NON.HP.COM>
From: "GALES,SIMON (Non-A-ColSprings,ex1)" <george_gales@NON.HP.COM>
X-To: "BUGTRAQ@SECURITYFOCUS.COM" <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BF7A59.A7FBC9BC
Content-Type: text/plain;
charset="iso-8859-1"
I've attempted to reproduce this on:
Windows NT 4.0 Workstation SP5
Windows NT 4.0 Workstation SP3
Windows NT 4.0 Workstation SP1
with no joy.
I'm running FP98, which installed PWS 3.0.2.926.
Does this only occur on Win9x? Has anyone been able to reproduce this?
Jan, which OS/SP were you running?
I vaguely remember some discussion (in BugTraq or NTBugTraq maybe?) about
using "..." and/or "...." from the command prompt, and this is probably tied
to that problem.
G. Simon Gales
george_gales@non.hp.com <mailto:george_gales@non.hp.com>
-----Original Message-----
From: Jan van de Rijt [mailto:rijt@WISH.NET]
Sent: Tuesday, February 15, 2000 6:16 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Doubledot bug in FrontPage FrontPage Personal Web Server.
Description: Doubledot bug in FrontPage FrontPage Personal Web Server.
Compromise: Accessing drive trough browser.
Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not tested.
Details:
When FrontPage-PWS runs a site on your c:\ drive your drive could be
accessed by any user accessing your page, simply by requesting any file in
any directory except the files in the FrontPage dir. specially /_vti_pvt/.
How to exploit this bug?
Simply adding /..../ in the URL addressbar.
http://www.target.com/..../ <http://www.target.com/..../<>
<any_dir>/<any_file>
so by requesting http://www.target.com/..../Windows/Admin.pwl
<http://www.target.com/..../Windows/Admin.pwl> the webserver let us
download the .pwl file from the target.
Files and dirs. with the hidden attribute set are vulnerable.
Solution:
The best solution is installing FrontPage on a drive that doesn't contain
Private information.
Greetings,
Jan van de Rijt aka The Warlock.
------_=_NextPart_001_01BF7A59.A7FBC9BC
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META content="MSHTML 5.00.3013.2600" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000>I've attempted to reproduce this
on:</SPAN></FONT></DIV>
<DIV><SPAN class=187553721-18022000>
<DIV><SPAN class=187553721-18022000><FONT color=#0000ff face="Courier New"
size=2> Windows NT 4.0 Workstation SP5</FONT>
<DIV><FONT size=2><FONT color=#0000ff><FONT face="Courier New"><SPAN
class=187553721-18022000> Windows NT 4.0 Workstation SP<SPAN
class=187553721-18022000>3</SPAN></SPAN></FONT></FONT></FONT></DIV>
<DIV><SPAN class=187553721-18022000><FONT color=#0000ff face="Courier New"
size=2><SPAN class=187553721-18022000> Windows NT 4.0
Workstation SP1</SPAN></FONT></SPAN></DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000>with no joy. </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000>I'm running FP98, which installed PWS
3.0.2.926.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000>Does this only occur on Win9x?
</SPAN></FONT><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000>Has anyone been able to reproduce this? Jan,
which OS/SP were you running?</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000>I vaguely remember some discussion (in BugTraq or
NTBugTraq maybe?) about using "..." and/or "...." from the command prompt, and
this is probably tied to that problem.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000>G. Simon Gales</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000><A
href="mailto:george_gales@non.hp.com">george_gales@non.hp.com</A></SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face="Courier New" size=2><SPAN
class=187553721-18022000></SPAN></FONT> </DIV></SPAN></DIV></SPAN></DIV>
<DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Jan van de Rijt
[mailto:rijt@WISH.NET]<BR><B>Sent:</B> Tuesday, February 15, 2000 6:16
PM<BR><B>To:</B> BUGTRAQ@SECURITYFOCUS.COM<BR><B>Subject:</B> Doubledot bug in
FrontPage FrontPage Personal Web Server.<BR><BR></FONT></DIV>
<DIV><FONT face=Arial size=2>Description: Doubledot bug in FrontPage FrontPage
Personal Web Server.<BR>Compromise: Accessing drive trough
browser.<BR>Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not
tested.<BR>Details:<BR>When FrontPage-PWS runs a site on your c:\ drive your
drive could be accessed by any user accessing your page, simply by requesting
any file in any directory except the files in the FrontPage dir. specially
/_vti_pvt/.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>How to exploit this bug?<BR>Simply adding /..../ in
the URL addressbar.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><A
href="http://www.target.com/..../<">http://www.target.com/..../<</A>any_dir>/<any_file></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>so by requesting <A
href="http://www.target.com/..../Windows/Admin.pwl">http://www.target.com/..../Windows/Admin.pwl</A> the
webserver let us download the .pwl file from the target.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Files and dirs. with the hidden attribute set are
vulnerable.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Solution:<BR>The best solution is installing
FrontPage on a drive that doesn't contain Private information.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Greetings,</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Jan van de Rijt aka The
Warlock.</FONT></DIV></BODY></HTML>
------_=_NextPart_001_01BF7A59.A7FBC9BC--
