Re: List Site Pro, an intresting number of site "hacks"

[Michel Arboi <arboi () yahoo com>]

 --- Siberian <siberian () sentry-labs com> a écrit : 
> the file modified was lspro_list_header.txt I think, which
> permissions were set to 666. Are they using a simple put to
> modify? Is put supported by any webserver by default?

Yes it is, by IIS (is this really a surprise? :)
If your permissions are wrong, it will accept "anonymous" PUT, without
a password.
As far as I know, there is no simple way to disable the PUT or DELETE
method in IIS. In Apache, they are disabled by default and you have to
uncomment a couple of lines scattered in the configuration file if you
really want to shoot you in the foot.

> Here is the vendor URL:
> http://www.listsitepro.com/

What am I supposed to find here?


___________________________________________________________
Do You Yahoo!? -- Pour faire vos courses sur le Net, 
Yahoo! Shopping : http://fr.shopping.yahoo.com