[18990] in bugtraq
Web root exposure in HSWeb Webserver
daemon@ATHENA.MIT.EDU (joetesta@HUSHMAIL.COM)
Sun Feb 4 21:48:16 2001
Content-Type: multipart/mixed;
boundary="Hushpart_boundary_aLlvLMtQngolewnTlHalfVqVlUOxjVGe"
Mime-Version: 1.0
Message-Id: <200102041645.IAA21591@user7.hushmail.com>
Date: Sun, 4 Feb 2001 11:48:21 -0800
Reply-To: joetesta@HUSHMAIL.COM
From: joetesta@HUSHMAIL.COM
To: BUGTRAQ@SECURITYFOCUS.COM
--Hushpart_boundary_aLlvLMtQngolewnTlHalfVqVlUOxjVGe
Content-type: text/plain
Web root exposure in HSWeb Webserver
Overview
HSWeb v2.0 is a webserver available from http://www.jeffheaton.com and
http://www.download.com. Any remote user can discover the physical path
of the web root if directory browsing is enabled.
Details
If directory browsing is enabled, then going to the following URL:
http://localhost/cgi/
will cause HSWeb to respond with:
Directory listing of d:\hs\WWWRoot\cgi\
Type File Name Size Last Modified
[DIR] Parent Directory - Sun. 28 Jan 2001 10:38:08 GMT
Solution
Turn off directory browsing.
Vendor Status
The author of the program, Jeff Heaton, was notified via
<info@heat-on.com> on Sunday, January 28, 2001. No reply was received.
- Joe Testa ( joetesta@hushmail.com )
--Hushpart_boundary_aLlvLMtQngolewnTlHalfVqVlUOxjVGe--
IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.
