Microsoft Personal Web Server,FrontPage Personal Web Server漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105245 漏洞类型 未知
发布时间 1996-01-17 更新时间 2005-05-02
CVE编号 CVE-1999-0386 CNNVD-ID CNNVD-199903-021
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/19753
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199903-021
|漏洞详情
MicrosoftPersonalWeb服务器和FrontPagePersonalWeb服务器在一些Windows系统上存在漏洞。远程攻击者可以使用非标准URL阅读服务器上的文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/989/info

Microsoft's Personal Web Server and Front Page Personal Web Server will follow '/..../' strings in requested URLs, allowing remote users to obtain unauthenticated read access to files and directories on the same logical drive as the web content. Hidden files are viewable via this method, although the Front Page directory itself is not. The name and path of the desired file must be known to the attacker.

Note that while these programs support Windows 95, 98 and NT, only the Win9x versions are vulnerable. 

http://target/..../directory/filename.ext
|参考资料

来源:OSVDB
名称:111
链接:http://www.osvdb.org/111
来源:MS
名称:MS99-010
链接:http://www.microsoft.com/technet/security/bulletin/ms99-010.mspx