Vulnerability Development mailing list archives
Re: List Site Pro, an intresting number of site "hacks"
From: Michel Arboi <arboi () yahoo com>
Date: Tue, 10 Jul 2001 08:14:18 +0200 (CEST)
--- Siberian <siberian () sentry-labs com> a écrit :
the file modified was lspro_list_header.txt I think, which permissions were set to 666. Are they using a simple put to modify? Is put supported by any webserver by default?
Yes it is, by IIS (is this really a surprise? :) If your permissions are wrong, it will accept "anonymous" PUT, without a password. As far as I know, there is no simple way to disable the PUT or DELETE method in IIS. In Apache, they are disabled by default and you have to uncomment a couple of lines scattered in the configuration file if you really want to shoot you in the foot.
Here is the vendor URL: http://www.listsitepro.com/
What am I supposed to find here? ___________________________________________________________ Do You Yahoo!? -- Pour faire vos courses sur le Net, Yahoo! Shopping : http://fr.shopping.yahoo.com
Current thread:
- List Site Pro, an intresting number of site "hacks" Siberian (Jul 09)
- Re: List Site Pro, an intresting number of site "hacks" Michel Arboi (Jul 10)