Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Idiocy "exploit"

Idiocy "exploit"

From: Roy Wilson <emperor_at_SQUONK.NET>
Date: Wed, 1 Dec 1999 08:02:40 -0500

        I don't know if this is really suitable for this list, it's
more of a "pay attention to what you're doing, dummy" "exploit.

        I was cruising a .GOV site the other day with GetRight in
Browse mode (an enhanced FTP client, it appears), while walking a
client through the directories he needed to traverse to find the file
he wanted (a database).

        We were getting different file counts - his Netscape would show
7 files, GR on my end would show 28.

        After about two hours of messing around trying to find out what
was going on, we finally found it.

        He had Netscape set to the default "Mozilla@" for anon login
password. If I set GR to any email address other than the one I was
using the first time around, I only saw the seven files as well.

        The other 21 files were the raw data the cgi script used to
build sorted db's for HTML display.

        The email address that showed all data?

                fraud_at_irs.gov

        Being the curious person that I am, I started hitting state
level sites as well as federal. About a third of them showed more
files with the fraud@ than with mozilla@.
Received on Dec 01 1999

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos