Bugtraq mailing list archives

Re: WebServer Pro All Version Vulnerability

From: "Eric D. Williams" <eric () INFOBRO COM>
Date: Thu, 22 Mar 2001 16:44:37 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all;

Ahh yes...this is very true, however, security conscious WebSite users should
know that there is an easy fix for this by applying a simple WSAPI compliant
DLL (no don't read this as a cop out for O-reilly, but it is a fix / work
around for this issue) such as HAL9000.dll and a quick modification to the
registry to load the WSAPI extension.  Check out http://wgg.com/wgg/best/ for
some good WebSite *API utilities.  I want to say this is one of the reasons
that early httpd.exe was such a good entrant the author ( ?? Denny ?? ) never
seemed to let go of the close ties to the users of his product and their
concerns with security.  I think I have seen maybe two WebSite security related
issues on BugTraq (although there may be many more :) that's a good sign, I
think.

Eric
Eric Williams, Pres.
Information Brokers, Inc.    Phone: +1 202.889.4395
http://www.infobro.com/        Fax: +1 202.889.4396
              mailto:eric () infobro com
           For More Info: info () infobro com
                    PGP Public Key
   http://new.infobro.com/KeyServ/EricDWilliams.asc
Finger Print: 1055 8AED 9783 2378 73EF  7B19 0544 A590 FF65 B789


On Tuesday, March 20, 2001 1:44 PM, Fab Siciliano
[SMTP:fsiciliano () EARTHLINK NET] wrote:

Actually, you can request ANY file that doesn't exist....and recieve the
same error.....just for the sake of tryin', i typed in:
http://vulnerable.server.com/html.html and got the path to the file, I guess
it's your typical Path Disclosure vulnerability. Not sure about a patch on
this one.

----- Original Message -----
From: Roberto Moreno <mroberto98 () YAHOO COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Friday, March 16, 2001 5:44 PM
Subject: WebServer Pro All Version Vulnerability

WebServer Pro All Version Vulnerability

Wildman
wildman () hackcanada com
mroberto98 () yahoo com

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/



----------------------------------------------------------------------------
----

-- WebSite Pro 2.5.4/all versions Vulnerability -- March 15, 2001

Website Pro, all versions, reveals the web directory with a simple

character similar to the past vulnerability but all have been fixed

except this one.

Example:

www.target.com/:/              <-this will reveal the exact location


403 Forbidden
File for URL /:/ (E:\webdir\:) cannot be accessed:
   The filename, directory name, or volume label syntax is incorrect.

(code=123)

No fix yet.


~~~~~~~~~~~~~~~~~~~~
Wildman
www.hackcanada.com
wildman () hackcanada com

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBOrpyRQVEpZD/ZbeJEQLQ4QCdFp9o9SKfkiVdtInO1dHaSQPyAFoAoOr+
8wI64DMdzK66gC4hPXQBqlmg
=QL0q
-----END PGP SIGNATURE-----

Current thread:

WebServer Pro All Version Vulnerability Roberto Moreno (Mar 19)
- Re: WebServer Pro All Version Vulnerability Fab Siciliano (Mar 21)
- <Possible follow-ups>
- Re: WebServer Pro All Version Vulnerability Eric D. Williams (Mar 23)