[Full-Disclosure] Novell WebAcces
From: noAcces (noacces_at_lycos.nl)
To: firstname.lastname@example.org Date: Fri, 07 Jan 2005 09:42:04 GMT
I was playing around when I found a small problem with Novell's WebAcces.
With User.lang you can give in you're language as parameter I tried some different stuff there and when I tried "> so that the URL would be hxxp://www.notsohappyserver.com/servlet/webacc?User.Lang="> a Link apeared I clicked it and so I found some unprotected dirs.
The problem is that the file hxxps://www.notsohappyserver/com/novell/webaccess/WebAccessUninstall.ini contains info about the servername context and install paths
It seems that this is working on almost every webacces server.
Full-Disclosure - We believe in it.