-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all;
Ahh yes...this is very true, however, security conscious WebSite users should
know that there is an easy fix for this by applying a simple WSAPI compliant
DLL (no don't read this as a cop out for O-reilly, but it is a fix / work
around for this issue) such as HAL9000.dll and a quick modification to the
registry to load the WSAPI extension. Check out http://wgg.com/wgg/best/ for
some good WebSite *API utilities. I want to say this is one of the reasons
that early httpd.exe was such a good entrant the author ( ?? Denny ?? ) never
seemed to let go of the close ties to the users of his product and their
concerns with security. I think I have seen maybe two WebSite security related
issues on BugTraq (although there may be many more :) that's a good sign, I
think.
Eric
Eric Williams, Pres.
Information Brokers, Inc. Phone: +1 202.889.4395
http://www.infobro.com/ Fax: +1 202.889.4396
mailto:[EMAIL PROTECTED]
For More Info: [EMAIL PROTECTED]
PGP Public Key
http://new.infobro.com/KeyServ/EricDWilliams.asc
Finger Print: 1055 8AED 9783 2378 73EF 7B19 0544 A590 FF65 B789
On Tuesday, March 20, 2001 1:44 PM, Fab Siciliano
[SMTP:[EMAIL PROTECTED]] wrote:
> Actually, you can request ANY file that doesn't exist....and recieve the
> same error.....just for the sake of tryin', i typed in:
> http://vulnerable.server.com/html.html and got the path to the file, I guess
> it's your typical Path Disclosure vulnerability. Not sure about a patch on
> this one.
>
>
> ----- Original Message -----
> From: Roberto Moreno <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, March 16, 2001 5:44 PM
> Subject: WebServer Pro All Version Vulnerability
>
>
> > WebServer Pro All Version Vulnerability
> >
> > Wildman
> > [EMAIL PROTECTED]
> > [EMAIL PROTECTED]
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Get email at your own domain with Yahoo! Mail.
> > http://personal.mail.yahoo.com/
>
>
> ----------------------------------------------------------------------------
> ----
>
>
> > -- WebSite Pro 2.5.4/all versions Vulnerability -- March 15, 2001
> >
> > Website Pro, all versions, reveals the web directory with a simple
> >
> > character similar to the past vulnerability but all have been fixed
> >
> > except this one.
> >
> > Example:
> >
> > www.target.com/:/ <-this will reveal the exact location
> >
> >
> > 403 Forbidden
> > File for URL /:/ (E:\webdir\:) cannot be accessed:
> > The filename, directory name, or volume label syntax is incorrect.
> >
> > (code=123)
> >
> > No fix yet.
> >
> >
> > ~~~~~~~~~~~~~~~~~~~~
> > Wildman
> > www.hackcanada.com
> > [EMAIL PROTECTED]
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBOrpyRQVEpZD/ZbeJEQLQ4QCdFp9o9SKfkiVdtInO1dHaSQPyAFoAoOr+
8wI64DMdzK66gC4hPXQBqlmg
=QL0q
-----END PGP SIGNATURE-----
