webcom.cgi.guestbook.txt

1999-08-17T00:00:00
ID PACKETSTORM:12081
Type packetstorm
Reporter David Litchfield
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Fri, 9 Apr 1999 20:41:39 +0100  
From: Mnemonix <mnemonix@GLOBALNET.CO.UK>  
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM  
Subject: Webcom's CGI Guestbook for Win32 web servers  
  
  
I reported a while back on Webcom's (www.webcom.se) CGI Guestbook (wguest.exe and rguest.exe) having a number of security  
problems where any text based file on an NT machine could be read from the file system provided the attacker knew the path to  
the file and the Anonymous Internet Account (IUSR_MACHINENAME on IIS) has the NTFS read right to the file in question. On  
machines such as Windows 95/98 without local file security every file is readable. wguest.exe is used to write to the Guestbook  
and rguest.exe is used to read from the Guestbook  
  
Their latest version has made this simpler: A request for http://server/cgi-bin/wguest.exe?template=c:\boot.ini will return the  
remote Web server's boot.ini and http://server/cgi-bin/rguest.exe?template=c:\winnt\system32\$winnt$.inf will return the  
$winnt$.inf file.  
  
Why the developers at Webcom have not resolved this issue in their latest version is bordering the criminal. I received no  
response to my mail to them about this. Anybody using this Guestbook should remove it as soon as possible and obtain another CGI  
Guestbook if you really need one.  
  
Cheers,  
David Litchfield  
  
http://www.arca.com  
http://www.infowar.co.uk/mnemonix/  
`