Personal web server kiborg (contact@kiborg.net) Wed, 17 Jan 1996 22:30:13 +0200 Hello, Sorry if this has already been known. But i didn't find something of the sort. While playing with Microsoft Personal Web Server (Frontpage-PWS32/3.0.2.926). I found that the following URL will list the root directory and be able to download any file you want. http://www.victim.com/....../ Index of /....../ WINDOWS My Documents Program Files FrontPage Webs AUTOEXEC.BAT COMMAND.COM and so on....... ----- contact@kiborg.net Tavo laiskai, Lietaus lasai, http://www.kiborg.net Papasakos man tiek daug pa pa-rara ! --------------------------------------------------------------------------- Re: Personal web server Sean Coates (sean@SPATULA.ML.ORG) Mon, 18 Jan 1999 14:12:32 -0400 kiborg wrote: > Hello, > > Sorry if this has already been known. But i didn't find something of the > sort. > While playing with Microsoft Personal Web Server > (Frontpage-PWS32/3.0.2.926). > I found that the following URL will list the root directory and be able to > download any file you want. > http://www.victim.com/....../ > That seems to be fixed in the windows98 version of PWS (http://24.231.6.49/....../ returns server error 161) Sean Coates scoates@usa.net sean@spatula.ml.org --------------------------------------------------------------------------- Date: Tue, 19 Jan 1999 10:21:24 -0800 From: Aleph One To: BUGTRAQ@netspace.org Subject: Re: Personal web server Here are some feedback from people. Results vary wildly. No: Windows NT 4.0 SP3 ("kiborg" ) Windows NT 4.0 SP4 (Russ) Windows NT 4.0 SP4 PWS 4.02.0622 Windows 2000 beta 2 ("John Sweeney" ) Windows 98 (Sean Coates scoates@usa.ne) Yes: Windows 95 ("kiborg" ) Windows 98 ("kiborg" ) Windows 98 + fixes & patches ("David Schwartz" ) Someone mentioned this may be the fault of FrontPage. It asks you to install PWS when you install FP. It may be possible that FP is configuring PWS in such a way to leave it open. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 --------------------------------------------------------------------------- Date: Thu, 18 Jan 1996 23:44:37 +0200 From: kiborg To: BUGTRAQ@netspace.org Subject: Re: Personal web server >An attempt to do this on a Windows NT 4.0 WS (with SP4) failed with a >404 error as expected. Yes on NT 4.0(SP3) i get the same. 404 Not Found The requested URL /....../ was not found on this server. >Maybe Kiborg can tell us on what platform this was successfully >performed on together with what, if any, security was configured on said >box. I did check on : Win95 worked. Win98 worked. and on NT 4.0 (SP3) failed with 404 error. > >Obviously /....../ shouldn't match to any directory by any convention >I'm aware of, so its clearly some sort of problem. To determine, >however, the extent of the risks for Win9x users of PWS we should know >how the site was being secured, configured, and accessed. Well i discovered what http://127.0.0.1/..../ or http://127.0.0.1/........./ (must be more than 3 dots /..../) will show the root directory. ----- contact@kiborg.net Tavo laiskai, lietaus lasai http://www.kiborg.net papasakos man tiek daug pa pa-rara !