Re: More vulnerabilities in FP

[sozni () USA NET (.sozni)]

> As well, the file existence test listed under Problem#3 works for
> files outside of the webroot but on the same volume. For example,
> if your webroot is at d:\Inetpub\wwwroot, the request,
>
> http://server/cgi-bin/htimage.exe/test.doc?0,0
>
> will test for the existence of a file d:\test.doc. Note however, that
> htimage.exe
> checks for the file d:\Inetpub\wwwroot\test.doc first and and then
> d:\test.doc.
> It does not allow me to test for file existence on other volumes.

Taking this one steup further, you could also use this to verify names or
existence of other significant directories.

For example, to verify the name of their NT directory:
http://server/cgi-bin/htimage.exe/winnt/win.ini?0,0

If indeed the NT directory is named winnt, you will get the appropriate error,
otherwise you will get the Config File not found error.

You can also get the full physical path of virtual directories by doing
something like this (in w2k/FP4):

http://server/cgi-bin/htimage.exe/_vti_bin?0,0

Which on my system returned:

Picture config file not found, tried the following:
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\isapi

Note, however, that if any error occurs in reading the file (such as access
denied) that it treats it as if the file is not found.  Therefore, requests
for things like pagefile.sys will return an error that the Picture config file
is not found.

Oh and one more thing, it can also be used to verify system devices such as
LPT and Com ports.  Yeah, big deal but it is something to ponder:

http://server/cgi-bin/htimage.exe/lpt1?0,0
http://server/cgi-bin/htimage.exe/com1?0,0

If the device exists, the web client will seem to stall.  If it doesn't exist,
you get the standard error.

.sozni

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1