[19747] in bugtraq
Re: WebServer Pro All Version Vulnerability
daemon@ATHENA.MIT.EDU (Fab Siciliano)
Wed Mar 21 15:42:08 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <014501c0b16d$d98e30e0$6564303f@oemcomputer>
Date: Tue, 20 Mar 2001 13:44:25 -0500
Reply-To: Fab Siciliano <fsiciliano@EARTHLINK.NET>
From: Fab Siciliano <fsiciliano@EARTHLINK.NET>
X-To: Roberto Moreno <mroberto98@YAHOO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Actually, you can request ANY file that doesn't exist....and recieve the
same error.....just for the sake of tryin', i typed in:
http://vulnerable.server.com/html.html and got the path to the file, I guess
it's your typical Path Disclosure vulnerability. Not sure about a patch on
this one.
----- Original Message -----
From: Roberto Moreno <mroberto98@YAHOO.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Friday, March 16, 2001 5:44 PM
Subject: WebServer Pro All Version Vulnerability
> WebServer Pro All Version Vulnerability
>
> Wildman
> wildman@hackcanada.com
> mroberto98@yahoo.com
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/
----------------------------------------------------------------------------
----
> -- WebSite Pro 2.5.4/all versions Vulnerability -- March 15, 2001
>
> Website Pro, all versions, reveals the web directory with a simple
>
> character similar to the past vulnerability but all have been fixed
>
> except this one.
>
> Example:
>
> www.target.com/:/ <-this will reveal the exact location
>
>
> 403 Forbidden
> File for URL /:/ (E:\webdir\:) cannot be accessed:
> The filename, directory name, or volume label syntax is incorrect.
>
> (code=123)
>
> No fix yet.
>
>
> ~~~~~~~~~~~~~~~~~~~~
> Wildman
> www.hackcanada.com
> wildman@hackcanada.com
