Re: WebServer Pro All Version Vulnerability

[Fab Siciliano <fsiciliano () EARTHLINK NET>]

Actually, you can request ANY file that doesn't exist....and recieve the
same error.....just for the sake of tryin', i typed in:
http://vulnerable.server.com/html.html and got the path to the file, I guess
it's your typical Path Disclosure vulnerability. Not sure about a patch on
this one.


----- Original Message -----
From: Roberto Moreno <mroberto98 () YAHOO COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Friday, March 16, 2001 5:44 PM
Subject: WebServer Pro All Version Vulnerability


> WebServer Pro All Version Vulnerability
>
> Wildman
> wildman () hackcanada com
> mroberto98 () yahoo com
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/


----------------------------------------------------------------------------
----


> -- WebSite Pro 2.5.4/all versions Vulnerability -- March 15, 2001
>
> Website Pro, all versions, reveals the web directory with a simple
>
> character similar to the past vulnerability but all have been fixed
>
> except this one.
>
> Example:
>
> www.target.com/:/              <-this will reveal the exact location
>
>
> 403 Forbidden
> File for URL /:/ (E:\webdir\:) cannot be accessed:
>    The filename, directory name, or volume label syntax is incorrect.
>
> (code=123)
>
> No fix yet.
>
>
> ~~~~~~~~~~~~~~~~~~~~
> Wildman
> www.hackcanada.com
> wildman () hackcanada com