mailing list archives
Re: Doubledot bug in FrontPage FrontPage Personal Web Server.
From: george_gales () NON HP COM (GALES,SIMON (Non-A-ColSprings,ex1))
Date: Fri, 18 Feb 2000 14:46:47 -0700
I've attempted to reproduce this on:
Windows NT 4.0 Workstation SP5
Windows NT 4.0 Workstation SP3
Windows NT 4.0 Workstation SP1
with no joy.
I'm running FP98, which installed PWS 220.127.116.116.
Does this only occur on Win9x? Has anyone been able to reproduce this?
Jan, which OS/SP were you running?
I vaguely remember some discussion (in BugTraq or NTBugTraq maybe?) about
using "..." and/or "...." from the command prompt, and this is probably tied
to that problem.
G. Simon Gales
george_gales () non hp com <mailto:george_gales () non hp com>
From: Jan van de Rijt [mailto:rijt () WISH NET]
Sent: Tuesday, February 15, 2000 6:16 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Doubledot bug in FrontPage FrontPage Personal Web Server.
Description: Doubledot bug in FrontPage FrontPage Personal Web Server.
Compromise: Accessing drive trough browser.
Vulnerable Systems: Frontpage-PWS32/18.104.22.1686 other versions not tested.
When FrontPage-PWS runs a site on your c:\ drive your drive could be
accessed by any user accessing your page, simply by requesting any file in
any directory except the files in the FrontPage dir. specially /_vti_pvt/.
How to exploit this bug?
Simply adding /..../ in the URL addressbar.
so by requesting http://www.target.com/..../Windows/Admin.pwl
<http://www.target.com/..../Windows/Admin.pwl> the webserver let us
download the .pwl file from the target.
Files and dirs. with the hidden attribute set are vulnerable.
The best solution is installing FrontPage on a drive that doesn't contain
Jan van de Rijt aka The Warlock.