[Full-Disclosure] IFH-ADV-31337 File Source disclosure vulnerability in all web servers.

[Hugo Vazquez Carapez]

File Source disclosure vulnerability in all web servers.


Infohacking Security Advisory 04.16.04
www.infohacking.com
Jun 16, 2004


I. BACKGROUND

We discovered a very dangerous file source disclosure vulnerability in
all
webservers. This issue can be exploited using Microsoft Internet Explorer
and probably other browsers.


II. DESCRIPTION


Remote explotation of this issue can be achived by clicking with the
right button into the website and selecting the "view source code" option.
This option will display the contents of the html code.


For more leet explotation is also possible using lynx --source 
http://vulnerable.site/file.html


III. ANALYSIS


Successful exploitation allows an attacker to gain very very very sensible
information of the website.



IV. DETECTION


Infohacking has confirmed that all webservers are vulnerable to this
problem. Sites like microsoft, securityfocus, hack.co.za and others are
vulnerable too!



V. WORKAROUNDS


No work.. indeed.


VI. CVE INFORMATION


This is an 0day bug... so still no bid and CVE.


VII. DISCLOSURE TIMELINE


02/18/04 Hugo notified the bug to [EMAIL PROTECTED]
03/11/04 Initial vendor notification - no response
03/30/04 Secondary vendor notification - no response
05/20/04 We hack iberia.com
06/17/04 Public Disclosure


VIII. CREDIT

Hugo Vázquez Carapez http://www.infohacking.com/dirhugo.gif


Get pwned by script kiddies?
Call us, we can hack you again.


IX. LEGAL NOTICES


Copyright (c) 2004 INFOHACKING, Inc.


Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of INFOHACKING. If you wish to reprint the whole or any

part of this alert in any other medium other than electronically, please

email [EMAIL PROTECTED] for permission.


Disclaimer: Infohacking is pretty whitehat and lame. If you are a part
of the blackhat communitie, please hack and remove us from the net



Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about.php?subloc=affiliate&l=427

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] IFH-ADV-31337 File Source disclosure vulnerability in all web servers.

[morning_wood]

rofl, are you sure your not "Bipin" ?


>Subject: [Full-Disclosure] IFH-ADV-31337 File Source disclosure vulnerability
in all web servers.

> File Source disclosure vulnerability in all web servers.
> Remote explotation of this issue can be achived by clicking with the
> right button into the website and selecting the "view source code" option.
> This option will display the contents of the html code.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] IFH-ADV-31337 File Source disclosure vulnerability in all web servers.

[CrYpTiC MauleR]

OMFG!!! *shits pants*

 O.O
  O

How do I patch??!?!?!?!? *shuts down servers*
-- 
__
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html