Full Disclosure mailing list archives
IFH-ADV-31337 File Source disclosure vulnerability in all web servers.
From: "Hugo Vazquez Carapez" <infohacking () hushmail com>
Date: Wed, 16 Jun 2004 12:59:36 -0700
File Source disclosure vulnerability in all web servers. Infohacking Security Advisory 04.16.04 www.infohacking.com Jun 16, 2004 I. BACKGROUND We discovered a very dangerous file source disclosure vulnerability in all webservers. This issue can be exploited using Microsoft Internet Explorer and probably other browsers. II. DESCRIPTION Remote explotation of this issue can be achived by clicking with the right button into the website and selecting the "view source code" option. This option will display the contents of the html code. For more leet explotation is also possible using lynx --source http://vulnerable.site/file.html III. ANALYSIS Successful exploitation allows an attacker to gain very very very sensible information of the website. IV. DETECTION Infohacking has confirmed that all webservers are vulnerable to this problem. Sites like microsoft, securityfocus, hack.co.za and others are vulnerable too! V. WORKAROUNDS No work.. indeed. VI. CVE INFORMATION This is an 0day bug... so still no bid and CVE. VII. DISCLOSURE TIMELINE 02/18/04 Hugo notified the bug to abuse@255.255.255.255 03/11/04 Initial vendor notification - no response 03/30/04 Secondary vendor notification - no response 05/20/04 We hack iberia.com 06/17/04 Public Disclosure VIII. CREDIT Hugo Vázquez Carapez http://www.infohacking.com/dirhugo.gif Get pwned by script kiddies? Call us, we can hack you again. IX. LEGAL NOTICES Copyright (c) 2004 INFOHACKING, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of INFOHACKING. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email info () infohacking com for permission. Disclaimer: Infohacking is pretty whitehat and lame. If you are a part of the blackhat communitie, please hack and remove us from the net Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- IFH-ADV-31337 File Source disclosure vulnerability in all web servers. Hugo Vazquez Carapez (Jun 16)
- Re: IFH-ADV-31337 File Source disclosure vulnerability in all web servers. morning_wood (Jun 16)