Bugtraq mailing list archives
Re: More Microsoft debri
From: jerobins () UNITY NCSU EDU (James E. Robinson, III)
Date: Thu, 23 Apr 1998 21:33:25 -0400
[On Thu Apr 23 14:36:00 1998, pedward () WEBCOM COM wrote]
[snip snip]
(Oh, BTW, there exists a very HUGE privacy hole in the FP extenstions). If you go to a site that has FP extensions, just pick any directory in the URL, yank the filename off, and put "_vti_cnf" there instead...you'll get a complete listing of all the files in the real directory. With this you can snatch files that weren't meant to be seen by the public...and it's available on ALL FP enabled sites.
Incorrect. This reflects on the web server configuration, not necessarily that of FP....same goes for the password file snatching. i.e. it's easy to set up Apache to prevent this stuff. Though, FP does want to keep "touching" various files, including the .htaccess files...changing the permissions after FP has created them keeps everything in check (so long as httpd and FP can still *read* the files). James -- James E. Robinson, III | james () ncstate net | Lead Systems Programmer NC State University | NCState.Net | http://www.ncstate.net/ Information Technology | PGP key at http://www.ncstate.net/james/pgp/
Current thread:
- More Microsoft debri Lloyd Vancil (Apr 23)
- <Possible follow-ups>
- Re: More Microsoft debri Michael Howard (Apr 23)
- Re: More Microsoft debri pedward () WEBCOM COM (Apr 23)
- Re: More Microsoft debri James E. Robinson, III (Apr 23)
- Another Frontpage Bug, with promiscuous ScriptAliases pedward () WEBCOM COM (Apr 23)
- Flaw in HTTP-Authentication in O'Reilly Website Pro BarKode (Apr 23)
- Re: Another Frontpage Bug, with promiscuous ScriptAliases Marc Slemko (Apr 23)
- How to exploit AlephOne by JP of AntiOnline F0RMiCA (Apr 24)
- Security Hole in Netscape Enterprise Server 3.0 Daragh Malone (Apr 24)
- Re: Security Hole in Netscape Enterprise Server 3.0 Matthew Frederick (Apr 24)
- How to exploit mudge by AlephOne by JP AntiOnline Dr. Mudge (Apr 24)
- Re: How to exploit mudge by AlephOne by JP AntiOnline Aleph One (Apr 24)
- Re: More Microsoft debri pedward () WEBCOM COM (Apr 23)