Re: Doubledot bug in FrontPage FrontPage Personal Web Server.

[GALES,SIMON (Non-A-ColSprings,ex1)]

I've attempted to reproduce this on:     Windows NT 4.0 Workstation SP5     Windows NT 4.0 Workstation SP3     Windows NT 4.0 Workstation SP1 with no joy.    I'm running FP98, which installed PWS 3.0.2.926.   Does this only occur on Win9x?  Has anyone been able to reproduce this?  Jan, which OS/SP were you running?   I vaguely remember some discussion (in BugTraq or NTBugTraq maybe?) about using "..." and/or "...." from the command prompt, and this is probably tied to that problem.   G. Simon Gales [EMAIL PROTECTED]   -----Original Message----- From: Jan van de Rijt [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 15, 2000 6:16 PM To: [EMAIL PROTECTED] Subject: Doubledot bug in FrontPage FrontPage Personal Web Server. Description: Doubledot bug in FrontPage FrontPage Personal Web Server. Compromise: Accessing drive trough browser. Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not tested. Details: When FrontPage-PWS runs a site on your c:\ drive your drive could be accessed by any user accessing your page, simply by requesting any file in any directory except the files in the FrontPage dir. specially /_vti_pvt/.   How to exploit this bug? Simply adding /..../ in the URL addressbar.   http://www.target.com/..../<any_dir>/<any_file>   so by requesting http://www.target.com/..../Windows/Admin.pwl the webserver let us download the .pwl file from the target.   Files and dirs. with the hidden attribute set are vulnerable.   Solution: The best solution is installing FrontPage on a drive that doesn't contain Private information.   Greetings,   Jan van de Rijt aka The Warlock.