Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: More Microsoft debri

From: jerobins () UNITY NCSU EDU (James E. Robinson, III)
Date: Thu, 23 Apr 1998 21:33:25 -0400


[On Thu Apr 23 14:36:00 1998, pedward () WEBCOM COM wrote]


[snip snip]


(Oh, BTW, there exists a very HUGE privacy hole in the FP
extenstions).  If you go to a site that has FP extensions, just pick
any directory in the URL, yank the filename off, and put "_vti_cnf"
there instead...you'll get a complete listing of all the files in the
real directory.  With this you can snatch files that weren't meant to
be seen by the public...and it's available on ALL FP enabled sites.


Incorrect.  This reflects on the web server configuration, not
necessarily that of FP....same goes for the password file snatching.
i.e. it's easy to set up Apache to prevent this stuff.  Though, FP does
want to keep "touching" various files, including the .htaccess
files...changing the permissions after FP has created them keeps
everything in check (so long as httpd and FP can still *read* the
files).

  James

--
James E. Robinson, III | james () ncstate net | Lead Systems Programmer
NC State University    |    NCState.Net    | http://www.ncstate.net/
Information Technology | PGP key at http://www.ncstate.net/james/pgp/
Previous By Date Next
Previous By Thread Next

Current thread: