OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Doubledot bug in FrontPage FrontPage Personal Web Server.
From: GALES,SIMON (Non-A-ColSprings,ex1) (george_galesNON.HP.COM)
Date: Fri Feb 18 2000 - 15:46:47 CST

I've attempted to reproduce this on:
    Windows NT 4.0 Workstation SP5
    Windows NT 4.0 Workstation SP3
    Windows NT 4.0 Workstation SP1
with no joy.

I'm running FP98, which installed PWS 3.0.2.926.

Does this only occur on Win9x? Has anyone been able to reproduce this?
Jan, which OS/SP were you running?

I vaguely remember some discussion (in BugTraq or NTBugTraq maybe?) about
using "..." and/or "...." from the command prompt, and this is probably tied
to that problem.

G. Simon Gales
george_galesnon.hp.com <mailto:george_galesnon.hp.com>

-----Original Message-----
From: Jan van de Rijt [mailto:rijtWISH.NET]
Sent: Tuesday, February 15, 2000 6:16 PM
To: BUGTRAQSECURITYFOCUS.COM
Subject: Doubledot bug in FrontPage FrontPage Personal Web Server.

Description: Doubledot bug in FrontPage FrontPage Personal Web Server.
Compromise: Accessing drive trough browser.
Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not tested.
Details:
When FrontPage-PWS runs a site on your c:\ drive your drive could be
accessed by any user accessing your page, simply by requesting any file in
any directory except the files in the FrontPage dir. specially /_vti_pvt/.

How to exploit this bug?
Simply adding /..../ in the URL addressbar.

http://www.target.com/..../ <http://www.target.com/..../<>
<any_dir>/<any_file>

so by requesting http://www.target.com/..../Windows/Admin.pwl
<http://www.target.com/..../Windows/Admin.pwl> the webserver let us
download the .pwl file from the target.

Files and dirs. with the hidden attribute set are vulnerable.

Solution:
The best solution is installing FrontPage on a drive that doesn't contain
Private information.

Greetings,

Jan van de Rijt aka The Warlock.