Re: Idiocy "exploit"

[jen () ETTNET SE (Joel Eriksson)]

On Wed, Dec 01, 1999 at 09:37:44PM -0800, Blue Boar wrote:
> Roy Wilson wrote:
> >         I was cruising a .GOV site the other day with GetRight in
> > Browse mode (an enhanced FTP client, it appears), while walking a
> > client through the directories he needed to traverse to find the file
> > he wanted (a database).
> >
> >         We were getting different file counts - his Netscape would show
> > 7 files, GR on my end would show 28.
> >
> >         After about two hours of messing around trying to find out what
> > was going on, we finally found it.
> >
> >         He had Netscape set to the default "Mozilla@" for anon login
> > password.  If I set GR to any email address other than the one I was
> > using the first time around, I only saw the seven files as well.
> >
> >         The other 21 files were the raw data the cgi script used to
> > build sorted db's for HTML display.
> >
> >         The email address that showed all data?
> >
> >                 fraud () irs gov
> >
> >         Being the curious person that I am, I started hitting state
> > level sites as well as federal.  About a third of them showed more
> > files with the fraud@ than with mozilla@.
>
> Any idea which FTP server package this is, or what options cause this
> behavior?  Care to share the name of one of the sites?

Some FTP-servers can be configured to let anonymous FTP-users that supply
a non-RFC822 compliant e-mail address as their password access a restricted
FTP-area. Roy: Try whatever@ and Mozilla@whatever and see what happens.

>                                               BB

--
Mvh Joel Eriksson