Bugtraq mailing list archives
Re: WebServer Pro All Version Vulnerability
From: "Eric D. Williams" <eric () INFOBRO COM>
Date: Thu, 22 Mar 2001 16:44:37 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all; Ahh yes...this is very true, however, security conscious WebSite users should know that there is an easy fix for this by applying a simple WSAPI compliant DLL (no don't read this as a cop out for O-reilly, but it is a fix / work around for this issue) such as HAL9000.dll and a quick modification to the registry to load the WSAPI extension. Check out http://wgg.com/wgg/best/ for some good WebSite *API utilities. I want to say this is one of the reasons that early httpd.exe was such a good entrant the author ( ?? Denny ?? ) never seemed to let go of the close ties to the users of his product and their concerns with security. I think I have seen maybe two WebSite security related issues on BugTraq (although there may be many more :) that's a good sign, I think. Eric Eric Williams, Pres. Information Brokers, Inc. Phone: +1 202.889.4395 http://www.infobro.com/ Fax: +1 202.889.4396 mailto:eric () infobro com For More Info: info () infobro com PGP Public Key http://new.infobro.com/KeyServ/EricDWilliams.asc Finger Print: 1055 8AED 9783 2378 73EF 7B19 0544 A590 FF65 B789 On Tuesday, March 20, 2001 1:44 PM, Fab Siciliano [SMTP:fsiciliano () EARTHLINK NET] wrote:
Actually, you can request ANY file that doesn't exist....and recieve the same error.....just for the sake of tryin', i typed in: http://vulnerable.server.com/html.html and got the path to the file, I guess it's your typical Path Disclosure vulnerability. Not sure about a patch on this one. ----- Original Message ----- From: Roberto Moreno <mroberto98 () YAHOO COM> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Friday, March 16, 2001 5:44 PM Subject: WebServer Pro All Version VulnerabilityWebServer Pro All Version Vulnerability Wildman wildman () hackcanada com mroberto98 () yahoo com __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/---------------------------------------------------------------------------- ------ WebSite Pro 2.5.4/all versions Vulnerability -- March 15, 2001 Website Pro, all versions, reveals the web directory with a simple character similar to the past vulnerability but all have been fixed except this one. Example: www.target.com/:/ <-this will reveal the exact location 403 Forbidden File for URL /:/ (E:\webdir\:) cannot be accessed: The filename, directory name, or volume label syntax is incorrect. (code=123) No fix yet. ~~~~~~~~~~~~~~~~~~~~ Wildman www.hackcanada.com wildman () hackcanada com
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBOrpyRQVEpZD/ZbeJEQLQ4QCdFp9o9SKfkiVdtInO1dHaSQPyAFoAoOr+ 8wI64DMdzK66gC4hPXQBqlmg =QL0q -----END PGP SIGNATURE-----
Current thread:
- WebServer Pro All Version Vulnerability Roberto Moreno (Mar 19)
- Re: WebServer Pro All Version Vulnerability Fab Siciliano (Mar 21)
- <Possible follow-ups>
- Re: WebServer Pro All Version Vulnerability Eric D. Williams (Mar 23)