Re: Doubledot bug in FrontPage FrontPage Personal Web Server.

[george_gales () NON HP COM (GALES,SIMON (Non-A-ColSprings,ex1))]

I've attempted to reproduce this on:
    Windows NT 4.0 Workstation SP5
    Windows NT 4.0 Workstation SP3
    Windows NT 4.0 Workstation SP1
with no joy.

I'm running FP98, which installed PWS 3.0.2.926.

Does this only occur on Win9x?  Has anyone been able to reproduce this?
Jan, which OS/SP were you running?

I vaguely remember some discussion (in BugTraq or NTBugTraq maybe?) about
using "..." and/or "...." from the command prompt, and this is probably tied
to that problem.

G. Simon Gales
george_gales () non hp com <mailto:george_gales () non hp com>

-----Original Message-----
From: Jan van de Rijt [mailto:rijt () WISH NET]
Sent: Tuesday, February 15, 2000 6:16 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Doubledot bug in FrontPage FrontPage Personal Web Server.

Description: Doubledot bug in FrontPage FrontPage Personal Web Server.
Compromise: Accessing drive trough browser.
Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not tested.
Details:
When FrontPage-PWS runs a site on your c:\ drive your drive could be
accessed by any user accessing your page, simply by requesting any file in
any directory except the files in the FrontPage dir. specially /_vti_pvt/.

How to exploit this bug?
Simply adding /..../ in the URL addressbar.

http://www.target.com/..../ <http://www.target.com/..../<>
<any_dir>/<any_file>

so by requesting http://www.target.com/..../Windows/Admin.pwl
<http://www.target.com/..../Windows/Admin.pwl>  the webserver let us
download the .pwl file from the target.

Files and dirs. with the hidden attribute set are vulnerable.

Solution:
The best solution is installing FrontPage on a drive that doesn't contain
Private information.

Greetings,

Jan van de Rijt aka The Warlock.