Webcom's CGI Guestbook for Win32 web servers

[mnemonix () GLOBALNET CO UK (Mnemonix)]

This is a multi-part message in MIME format.

------=_NextPart_000_000F_01BE82C9.5E989D50
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I reported a while back on Webcom's (www.webcom.se) CGI Guestbook =
(wguest.exe and rguest.exe) having a number of security problems where =
any text based file on an NT machine could be read from the file system =
provided the attacker knew the path to the file and the Anonymous =
Internet Account (IUSR_MACHINENAME on IIS) has the NTFS read right to =
the file in question. On machines such as Windows 95/98 without local =
file security every file is readable. wguest.exe is used to write to the =
Guestbook and rguest.exe is used to read from the Guestbook

Their latest version has made this simpler: A request for =
http://server/cgi-bin/wguest.exe?template=3Dc:\boot.ini will return the =
remote Web server's boot.ini and =
http://server/cgi-bin/rguest.exe?template=3Dc:\winnt\system32\$winnt$.inf=
 will return the $winnt$.inf file.

Why the developers at Webcom have not resolved this issue in their =
latest version is bordering the criminal. I received no response to my =
mail to them about this. Anybody using this Guestbook should remove it =
as soon as possible and obtain another CGI Guestbook if you really need =
one.

Cheers,
David Litchfield

http://www.arca.com
http://www.infowar.co.uk/mnemonix/





------=_NextPart_000_000F_01BE82C9.5E989D50
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">

<HTML>
<HEAD>

<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT color=3D#000000 size=3D2>I reported a while back on Webcom's =
(<A=20
href=3D"http://www.webcom.se";>www.webcom.se</A>) CGI Guestbook =
(wguest.exe and=20
rguest.exe) having a number of security problems where any text based =
file on an=20
NT machine could be read from the file system provided the attacker knew =
the=20
path to the file and the Anonymous Internet Account (IUSR_MACHINENAME on =
IIS)=20
has the NTFS read right to the file in question. On machines such as =
Windows=20
95/98 without local file security every file is readable. wguest.exe is =
used to=20
write to the Guestbook and rguest.exe is used to read from the=20
Guestbook</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2>Their latest version has made this =
simpler: A=20
request for <A=20
href=3D"http://server/cgi-bin/wguest.exe?template=3Dc:\boot.ini";>http://s=
erver/cgi-bin/wguest.exe?template=3Dc:\boot.ini</A>=20
will return the remote Web server's boot.ini and <A=20
href=3D"http://server/cgi-bin/rguest.exe?template=3Dc:\winnt\system32\$wi=
nnt$.inf">http://server/cgi-bin/rguest.exe?template=3Dc:\winnt\system32\$=
winnt$.inf</A>=20
will return the $winnt$.inf file.</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2>Why the developers at Webcom have =
not resolved=20
this issue in their latest version is bordering the criminal. I received =
no=20
response to my mail to them about this. Anybody using this Guestbook =
should=20
remove it as soon as possible and obtain another CGI Guestbook if you =
really=20
need one.</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>Cheers,</FONT></DIV>
<DIV><FONT size=3D2>David Litchfield</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2><A=20
href=3D"http://www.arca.com";>http://www.arca.com</A></FONT></DIV>
<DIV><FONT size=3D2><A=20
href=3D"http://www.infowar.co.uk/mnemonix/";>http://www.infowar.co.uk/mnem=
onix/</A></FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV></BODY></HTML>

------=_NextPart_000_000F_01BE82C9.5E989D50--